Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

bugtraq logo Bugtraq mailing list archives

ircd buffer overflow
From: achurch () DRAGONFIRE NET (Andy Church)
Date: Tue, 1 Jul 1997 02:20:47 EDT

     There is a buffer overflow present in many IRC servers derived from
the irc2.x distribution, which has been reported as being actively
exploited on many networks.  In short, insufficient bounds checking on the
parameters to the SERVER message will overflow a buffer, and you can do
more or less anything you could do with any other buffer overflow.  (The
current spate of attacks is aimed at just crashing servers; this can be
accomplished with a single line of shell code.)  This overflow is a bit
more interesting than the usual, because it's not a case of _missing_
bounds checking; rather, it's _incorrect_ bounds checking, leading to a
strncpy(s1, s2, -1) under certain circumstances.

     This bug is known to be present in all versions of ircd.dal through
4.4.10, as well as the base irc2.8.21 distribution.  The bug is believed to
NOT be present in ircu2.9.32, and is known to not be present in
ircd.dal4.4.11.  The patch below was made against ircd.dal4.4.5, but should
apply more or less cleanly to other irc2.x derivations.

  --Andy Church                  | If Bell Atlantic really is the heart
    achurch () dragonfire net       | of communication, then it desperately
    www.dragonfire.net/~achurch/ | needs a quadruple bypass.

---------------------------------------------------------------------------

--- src/s_serv.c.old    Sun Dec  8 21:06:55 1996
+++ src/s_serv.c        Tue Jul  1 00:42:16 1997
@@ -282,15 +282,17 @@
            {
                hop = atoi(parv[2]);
                (void)strncpy(info, parv[3], REALLEN);
+               info[REALLEN] = 0;
            }
        else if (parc > 2)
            {
-               (void)strncpy(info, parv[2], REALLEN);
+               (void)strncpy(info, parv[2], REALLEN-2);
+               info[REALLEN-2] = 0;
                if (parc > 3)
                    {
-                               i = strlen(info);
-                               (void)strncat(info, " ", REALLEN - i - 1);
-                               (void)strncat(info, parv[3], REALLEN - i - 2);
+                       (void)strcat(info, " ");
+                       (void)strncat(info, parv[3], REALLEN-strlen(info));
+                       info[REALLEN] = 0;
                    }
            }
        /*

  By Date           By Thread  

Current thread:
  • ircd buffer overflow Andy Church (Jun 30)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]