Re: [Full-Disclosure] [ GLSA 200501-40 ] ngIRCd: Buffer overflow

From: qobaiashi (qobaiashi_at_gmx.net)
Date: 02/02/05

  • Next message: Paul Laudanski: "Windows Security Checklists - 10 Parts"
    To: Thierry Carrez <koon@gentoo.org>
    Date: Wed, 2 Feb 2005 22:15:00 +0100
    
    

    > Severity: High
    > Title: ngIRCd: Buffer overflow
    > Date: January 28, 2005
    > Bugs: #79705
    > ID: 200501-40
    >
    > - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    >
    > Synopsis
    > ========
    >
    > ngIRCd is vulnerable to a buffer overflow that can be used to crash the
    > daemon and possibly execute arbitrary code.

    after a quick check IMHO the bug is not exploitable (except for dos):

    to reproduce the bug do:

    /j #test
    /mode #test +I aaax300here@aaax128here

    and watch it go down in:

    Program received signal SIGSEGV, Segmentation fault.
    0x400c5b8c in memcpy () from /lib/libc.so.6
    (gdb) info all-registers
    eax 0x8067e2c 134643244
    ecx 0xffffad7f -21121
    edx 0x80650ca 134631626
    ebx 0xffffff53 -173
    esp 0xbfffeb24 0xbfffeb24
    ebp 0xbfffeb58 0xbfffeb58
    esi 0x806a29e 134652574
    edi 0x806d000 134664192
    eip 0x400c5b8c 0x400c5b8c

    Dump of assembler code for function memcpy:
    0x400c5b20 <memcpy>: push %edi
    0x400c5b21 <memcpy+1>: push %esi
    0x400c5b22 <memcpy+2>: mov 0xc(%esp,1),%edi
    0x400c5b26 <memcpy+6>: mov 0x10(%esp,1),%esi
    0x400c5b2a <memcpy+10>: mov 0x14(%esp,1),%ecx
    0x400c5b2e <memcpy+14>: mov %edi,%eax
    0x400c5b30 <memcpy+16>: cld
    0x400c5b31 <memcpy+17>: cmp $0x20,%ecx
    0x400c5b34 <memcpy+20>: jbe 0x400c5b8c <memcpy+108>
    0x400c5b36 <memcpy+22>: neg %eax
    0x400c5b38 <memcpy+24>: and $0x3,%eax
    0x400c5b3b <memcpy+27>: sub %eax,%ecx
    0x400c5b3d <memcpy+29>: xchg %eax,%ecx
    0x400c5b3e <memcpy+30>: repz movsb %ds:(%esi),%es:(%edi)
    0x400c5b40 <memcpy+32>: mov %eax,%ecx
    0x400c5b42 <memcpy+34>: sub $0x20,%ecx
    0x400c5b45 <memcpy+37>: js 0x400c5b85 <memcpy+101>
    0x400c5b47 <memcpy+39>: mov (%edi),%eax
    0x400c5b49 <memcpy+41>: mov 0x1c(%edi),%edx
    0x400c5b4c <memcpy+44>: sub $0x20,%ecx
    0x400c5b4f <memcpy+47>: mov (%esi),%eax
    0x400c5b51 <memcpy+49>: mov 0x4(%esi),%edx
    0x400c5b54 <memcpy+52>: mov %eax,(%edi)
    0x400c5b56 <memcpy+54>: mov %edx,0x4(%edi)
    0x400c5b59 <memcpy+57>: mov 0x8(%esi),%eax
    0x400c5b5c <memcpy+60>: mov 0xc(%esi),%edx
    0x400c5b5f <memcpy+63>: mov %eax,0x8(%edi)
    0x400c5b62 <memcpy+66>: mov %edx,0xc(%edi)
    0x400c5b65 <memcpy+69>: mov 0x10(%esi),%eax
    0x400c5b68 <memcpy+72>: mov 0x14(%esi),%edx
    0x400c5b6b <memcpy+75>: mov %eax,0x10(%edi)
    0x400c5b6e <memcpy+78>: mov %edx,0x14(%edi)
    0x400c5b71 <memcpy+81>: mov 0x18(%esi),%eax
    0x400c5b74 <memcpy+84>: mov 0x1c(%esi),%edx
    0x400c5b77 <memcpy+87>: mov %eax,0x18(%edi)
    0x400c5b7a <memcpy+90>: mov %edx,0x1c(%edi)
    0x400c5b7d <memcpy+93>: lea 0x20(%esi),%esi
    0x400c5b80 <memcpy+96>: lea 0x20(%edi),%edi
    0x400c5b83 <memcpy+99>: jns 0x400c5b49 <memcpy+41>
    0x400c5b85 <memcpy+101>: add $0x20,%ecx
    0x400c5b88 <memcpy+104>: mov 0xc(%esp,1),%eax
    0x400c5b8c <memcpy+108>: repz movsb %ds:(%esi),%es:(%edi)
    0x400c5b8e <memcpy+110>: pop %esi
    0x400c5b8f <memcpy+111>: pop %edi
    0x400c5b90 <memcpy+112>: ret
    0x400c5b91 <memcpy+113>: nop
    0x400c5b92 <memcpy+114>: nop
    0x400c5b93 <memcpy+115>: nop
    0x400c5b94 <memcpy+116>: nop
    0x400c5b95 <memcpy+117>: nop
    0x400c5b96 <memcpy+118>: nop
    0x400c5b97 <memcpy+119>: nop
    0x400c5b98 <memcpy+120>: nop
    0x400c5b99 <memcpy+121>: nop
    0x400c5b9a <memcpy+122>: nop
    0x400c5b9b <memcpy+123>: nop
    0x400c5b9c <memcpy+124>: nop
    0x400c5b9d <memcpy+125>: nop
    0x400c5b9e <memcpy+126>: nop
    0x400c5b9f <memcpy+127>: nop
    End of assembler dump.
    (gdb)

    yours
    -q


  • Next message: Paul Laudanski: "Windows Security Checklists - 10 Parts"

    Relevant Pages

    • Re: Penalties for segment overrides on 8086?
      ... You may do so unless you want to run on some older CPUs. ... of the 8088s had a bug where the interrupt was not inhibited properly. ... mov ss, ax -> disables interrupts temporarily for the duration of next insn ...
      (comp.lang.asm.x86)
    • Re: Heres a program that crashes RosAsm
      ... >>The code that brought this bug to my ... > mov al, B$0 ... this says something real about RosAsm ... Master Pdf absolutely means to "prove" that RosAsm ...
      (alt.lang.asm)
    • Re: Penalties for segment overrides on 8086?
      ... POPF has another possible bug, in that if the previous situation was CLI and the POPF'ed value is also CLI, you would assume that no interrupt could occur, right? ... The only way to restore the previous flags and maintain the CLI condition throughout was to fake it out with an IRET, which had to work for the chip to be usable at all: ... mov ax, offset @return ...
      (comp.lang.asm.x86)
    • This 8088 code shouldnt work, yet does?
      ... bug where MOV SS fails to disable interrupts. ... MOV ES, AX ... [All registers are displayed at this point, where you want to look at ... Does it have something to do with DEBUG inserting ...
      (comp.lang.asm.x86)
    • Re: a common belief or a wrong C[++] compiler?
      ... >> mov eax, 1 ... >> sub eax, esi ...
      (alt.lang.asm)