Unreal ircd Format String Vuln

From: Gabriel A. Maggiotti (gmaggiot@ciudad.com.ar)
Date: 02/25/02

Date: Mon, 25 Feb 2002 13:30:26 -0300
From: "Gabriel A. Maggiotti" <gmaggiot@ciudad.com.ar>
To: vuln-dev@securityfocus.com

Web: http://qb0x.net Author: Gabriel A. Maggiotti
Date: Febrary 25, 2002 E-mail: gmaggiot@ciudad.com.ar

General Info
Problem Type : Format String Vulnerability
Product : Unreal irc server
Version : tested in 3.1.1
Vendor : www.unrealircd.org

A security vulnerability has been found in the popular Unreal irc server.
Unreal3.1.1 has a format string vuln in Cio_PrintF(...) function.
This function is in /src/cio_main.c file

Piece of code:

        va_start(argptr, InBuf);
        Len = vsprintf(Buffer, InBuf, argptr);

The problem is with InBuf, if %p.%p.%p.%n is written in InBuf a segfault
is produced, the program crashes when it tries to copy the value of eax
to the address of edx.

Don't forget to use the proper format of svprintf:

        int vprintf(const char *format, va_list ap);

research-list@qb0x.net is dedicated to interactively researching vulnerab-
ilities, report potential or undeveloped holes in any kind of computer system.
To subscribe to research-list@qb0x.ne t send a blank email to
research-list-subscribe@qb0x.net. More help available sending an email
to research-list-help@qb0x.net.
Note: the list doesn't allow html, it will be stripped from messages.