[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Full-disclosure] silc-server 1.0.2 denial-of-service vulnerability
- To: full-disclosure@xxxxxxxxxxxxxxxxx
- Subject: [Full-disclosure] silc-server 1.0.2 denial-of-service vulnerability
- From: Alexander Heidenreich <a.heidenreich@xxxxxxxxxxx>
- Date: Tue, 6 Mar 2007 18:48:08 +0100
Hi,
there is a bug in the current version of silc-server that makes it
possible to crash a networks SILC router or a standalone server, when a
new channel is created. All it takes is to specify an invalid hmac
algorithm name and no cipher algorithm name. This results in an null
pointer dereference in 'SILC_SERVER_CMD_FUNC(join)' at line 2444 in
apps/silcd/command.c.
To reproduce:
/connect yourserver
/join nonexistent -hmac nonexistent
The attached patch fixes the problem.
Best regards,
Frank Benkstein
--
GPG (Mail): 7093 7A43 CC40 463A 5564 599B 88F6 D625 BE63 866F
GPG (XMPP): 2243 DBBA F234 7C5A 6D71 3983 9F28 4D03 7110 6D51
diff -ur silc-server-1.0.2.orig/apps/silcd/command.c
silc-server-1.0.2/apps/silcd/command.c
--- silc-server-1.0.2.orig/apps/silcd/command.c 2007-03-06 11:21:40.000000000
+0100
+++ silc-server-1.0.2/apps/silcd/command.c 2007-03-06 13:33:28.000000000
+0100
@@ -2441,10 +2441,22 @@
channel = silc_server_create_new_channel(server, server->id, cipher,
hmac, channel_name, TRUE);
if (!channel) {
- silc_server_command_send_status_data(
- cmd, SILC_COMMAND_JOIN,
- SILC_STATUS_ERR_UNKNOWN_ALGORITHM,
- 0, 2, cipher, strlen(cipher));
+ if (cipher) {
+ silc_server_command_send_status_data(
+ cmd, SILC_COMMAND_JOIN,
+ SILC_STATUS_ERR_UNKNOWN_ALGORITHM,
+ 0, 2, cipher, strlen(cipher));
+ } else if (hmac) {
+ silc_server_command_send_status_data(
+ cmd, SILC_COMMAND_JOIN,
+ SILC_STATUS_ERR_UNKNOWN_ALGORITHM,
+ 0, 2, hmac, strlen(hmac));
+ } else {
+ silc_server_command_send_status_reply(
+ cmd, SILC_COMMAND_JOIN,
+ SILC_STATUS_ERR_RESOURCE_LIMIT,
+ 0);
+ }
silc_free(client_id);
goto out;
}
@@ -2505,10 +2517,22 @@
channel = silc_server_create_new_channel(server, server->id, cipher,
hmac, channel_name, TRUE);
if (!channel) {
- silc_server_command_send_status_data(
- cmd, SILC_COMMAND_JOIN,
- SILC_STATUS_ERR_UNKNOWN_ALGORITHM, 0,
- 2, cipher, strlen(cipher));
+ if (cipher) {
+ silc_server_command_send_status_data(
+ cmd, SILC_COMMAND_JOIN,
+ SILC_STATUS_ERR_UNKNOWN_ALGORITHM,
+ 0, 2, cipher, strlen(cipher));
+ } else if (hmac) {
+ silc_server_command_send_status_data(
+ cmd, SILC_COMMAND_JOIN,
+ SILC_STATUS_ERR_UNKNOWN_ALGORITHM,
+ 0, 2, hmac, strlen(hmac));
+ } else {
+ silc_server_command_send_status_reply(
+ cmd, SILC_COMMAND_JOIN,
+ SILC_STATUS_ERR_RESOURCE_LIMIT,
+ 0);
+ }
silc_free(client_id);
goto out;
}
@@ -2541,10 +2565,22 @@
channel = silc_server_create_new_channel(server, server->id, cipher,
hmac, channel_name, TRUE);
if (!channel) {
- silc_server_command_send_status_data(
- cmd, SILC_COMMAND_JOIN,
- SILC_STATUS_ERR_UNKNOWN_ALGORITHM, 0,
- 2, cipher, strlen(cipher));
+ if (cipher) {
+ silc_server_command_send_status_data(
+ cmd, SILC_COMMAND_JOIN,
+ SILC_STATUS_ERR_UNKNOWN_ALGORITHM,
+ 0, 2, cipher, strlen(cipher));
+ } else if (hmac) {
+ silc_server_command_send_status_data(
+ cmd, SILC_COMMAND_JOIN,
+ SILC_STATUS_ERR_UNKNOWN_ALGORITHM,
+ 0, 2, hmac, strlen(hmac));
+ } else {
+ silc_server_command_send_status_reply(
+ cmd, SILC_COMMAND_JOIN,
+ SILC_STATUS_ERR_RESOURCE_LIMIT,
+ 0);
+ }
silc_free(client_id);
goto out;
}
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/