[UNIX] BNC IRC Proxy Server Remote Buffer Overflow

• Previous message: SecuriTeam: "[NEWS] Cisco IOS DHCP Blocked Interface DoS"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: list@securiteam.com
Date: 11 Nov 2004 18:31:33 +0200

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -

  BNC IRC Proxy Server Remote Buffer Overflow
------------------------------------------------------------------------

SUMMARY

" <http://www.gotbnc.com/> BNC is an IRC (Internet Relay Chat) proxying
server under the GPL. It allows users to connect to chat servers by
bouncing off the computer which is running BNC. Basically, it forwards the
information from the user to the server and vise versa."

A buffer overflow vulnerability exhibit itself under certain conditions
when receiving replies from a remote IRC server.

DETAILS

Vulnerable Systems:
 * BNC version 2.8.9 and prior

Immune Systems:
 * BNC version 2.9.0

When BNC is connected to an IRC server it will 'USER' and 'NICK' commands
whenever needed. The server's response is processed in part by the
getnickuserhost() function which contains a flaw allowing the buffer
overflow. The vulnerable code:

int getnickuserhost(char **argv,char *buf,char *fix)
{
        int p,c;
        c=0;
        argv[0]=buf;

        for(p=0;buf[p];p++)
        {
                if(buf[p] == '!')
                {
                        buf[p]='\0';
                        fix[c++]='!';
                        argv[1]=&buf[p+1];
                }
                if(buf[p] == '@')
                {
                        buf[p]='\0';
                        fix[c++]='@';
                        argv[2]=&buf[p+1];
                }
        }
        return c;
}

The 'buf' variable points to a 512+1 static buffer (located in the BSS
segment) which contains the IRC server's response. The 'fix' variable
points to a some local stack buffer of 3 bytes. If the '!' or the '@'
characters are present in the server response (buf), they will be written
to 'fix'. The number of those characters that can be written into 'fix' is
not limited, hence leading to a possible buffer overflow.

The getnickuserhost() function is called from the following functions:
srv_nick(), ismenuh(), while ismenuh() is called from srv_part() and
process_join(), allowing for more than one code paths leading to the
vulnerable code. An example with the srv_nick() function is presented
below:

int srv_nick(struct cliententry *cptr, char *prefix, int pargc, char
**pargv)
{
        int p,repc,c,f;
        char repv[3];
        char *nuh[3];
        ...
        c=strlen(prefix);

        repc = getnickuserhost(nuh, prefix, repv);
        ...
        for(p=0;p<c;p++)
        {
                if( prefix[p] == '\0' )
                {
                        if(repc > 0)
                        {
                                prefix[p]=repv[f++];
                                repc--;
                        }
                }
        }
        ...

Since the stack can only be overflowed using the '!' and '@' characters,
exploiting the buffer overflow might not be trivial. It could be exploited
with off-by-one or off-by-two frame overflow, but some partial EIP
overflow could also prove to be useful. It is also possible to overflow
the 'c' counter that could have some impact later in the loop.

A proof of concept is available at <http://security.lss.hr/en/PoC/>
http://security.lss.hr/en/PoC/.

The result of running the PoC code is listed below:
[root@laptop bnc2.8.9]# gdb ./bnc 11313
..
Program received signal SIGSEGV, Segmentation fault.
0x21212121 in ?? ()
..
eax 0x1 1
ecx 0x30 48
edx 0x30 48
ebx 0x21212121 555819297
esp 0xbffff790 0xbffff790
ebp 0x21212121 0x21212121
esi 0x21212121 555819297
edi 0x21212121 555819297
eip 0x21212121 0x21212121
eflags 0x210246 2163270

Naturally the BNC daemon dies and all users are disconnected. At the very
least the impact of this buffer overflow is a denial of service attack
against the BNC server.

Vendor Status:
The vendor has already released a fixed version which mitigates this
vulnerability. BNC version 2.9.0 can be downloaded or a patch can be
downloaded from:
 <http://www.gotbnc.com/files/bnc2.9.0.tar.gz>
http://www.gotbnc.com/files/bnc2.9.0.tar.gz

ADDITIONAL INFORMATION

The information has been provided by <mailto:exposed@lss.hr> LSS
Security.
The original article can be found at:
<http://security.lss.hr/en/index.php?page=details&ID=LSS-2004-11-03>
http://security.lss.hr/en/index.php?page=details&ID=LSS-2004-11-03

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

• Previous message: SecuriTeam: "[NEWS] Cisco IOS DHCP Blocked Interface DoS"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]