[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Charybdis: Improper assumptions in the server handshake code may lead to a remote crash
- To: bugtraq@xxxxxxxxxxxxxxxxx
- Subject: Charybdis: Improper assumptions in the server handshake code may lead to a remote crash
- From: muztapha@xxxxxxxxx
- Date: Mon, 31 Dec 2012 21:59:15 GMT
Access vector: network
Access complexity: low
Authentication requirement: none
Confidentiality impact: none
Integrity impact: none
Availability impact: complete
CVSSv2 temporal score: 6.4
Exploitability: functional exploit exists
Remediation level: official fix
Report confidence: confirmed
Summary:
All versions of Charybdis are vulnerable to a remotely-triggered crash bug
caused by code originating from ircd-ratbox 2.0. (Incidentally, this means all
versions since ircd-ratbox 2.0 are also vulnerable.)
The bug has to do with server capability negotiation. A malformed request will
trigger a crash due to invalid assumptions.
Mitigation:
A patch for all affected versions of ircd-ratbox and charybdis is available from
the charybdis GIT repository:
https://github.com/atheme/charybdis/commit/ac0707aa61d9c20e9b09062294701567c9f41595.patch
To apply the patch, go to your IRCd source tree and run the following commands:
$ patch -p1 < /path/to/downloaded/patchfile.patch
$ make
$ make install
Then you may hotfix the IRCd by running /MODRESTART as a server admin.
Details:
In ratbox-2, the following code was added to m_capab.c:
char *t = LOCAL_COPY(parv[i]);
The other logic was then modified to make use of that stack-allocated buffer
rather
than the original. LOCAL_COPY() is a macro which expands to alloca() and
strlcpy(),
and the bug effectively is caused by this expansion calling strlen(NULL).