BNC 2.8.9 remote buffer overflow
LSS Security Advisory #LSS-2004-11-3
http://security.lss.hr
---
Title : BNC 2.8.9 remote buffer overflow
Advisory ID : LSS-2004-11-3
Date : November 10th, 2004
Advisory URL: :
http://security.lss.hr/en/index.php?page=details&ID=LSS-2004-11-03
Impact : Remote code execution or DoS attack
Risk level : High
Vulnerability type : Remote
Vendors contacted : www.gotbnc.com, November 7th, 2004
---
===[ Overview
BNC is an IRC (Internet Relay Chat) proxying server under the GPL. It
allows users to connect to chat servers by bouncing off the computer which
is running BNC. Basically, it forwards the information from the user to the
server and vise versa.
===[ Vulnerability
There is a buffer overflow vulnerability in getnickuserhost() function that
is called when BNC is processing response from some IRC server. When BNC is
connected to some IRC server, it will send 'USER' and 'NICK' command. Server
response is at some point processed with getnickuserhost() function.
Vulnerable code:
----------------
int getnickuserhost(char **argv,char *buf,char *fix)
{
int p,c;
c=0;
argv[0]=buf;
for(p=0;buf[p];p++)
{
if(buf[p] == '!')
{
buf[p]='\0';
fix[c++]='!';
argv[1]=&buf[p+1];
}
if(buf[p] == '@')
{
buf[p]='\0';
fix[c++]='@';
argv[2]=&buf[p+1];
}
}
return c;
}
----------------
'buf' points to 512+1 bytes static buffer (in BSS segment) that contains
server response, and 'fix' points to 3 byte stack buffer. If there is '!'
or '@' character in server response (buf), it will be written to 'fix'.
Number of '!' and '@' characters that can be written to 'fix' isn't
limited, so it is possible to overflow it.
Function getnickuserhost() is called from functions srv_nick() and
ismenuh(), and ismenuh() is called from srv_part() and process_join(), so
there are few possible exploitation paths.
srv_nick() example:
----------------
int srv_nick(struct cliententry *cptr, char *prefix, int pargc, char
**pargv)
{
int p,repc,c,f;
char repv[3];
char *nuh[3];
...
c=strlen(prefix);
repc = getnickuserhost(nuh, prefix, repv);
...
for(p=0;p<c;p++)
{
if( prefix[p] == '\0' )
{
if(repc > 0)
{
prefix[p]=repv[f++];
repc--;
}
}
}
...
----------------
Since stack can be overflowed just with '!' and '@' characters, it isn't
easy to exploit this vulnerability. It could be exploited with off-by-one
or off-by-two frame overflow, but some partial EIP overflow could also
prove to be useful. It is also possible to overflow 'c' counter that could
have some impact later in 'for' loop.
===[ Affected versions
Vulnerability has been discovered and tested on latest BNC 2.8.9, but older
versions are affected too. Vulnerability can be exploited if attacker
tricks user to connect to his fake IRC server that will exploit this
vulnerability. If the attacker has access to BNC proxy server, this
vulnerability can be used to gain shell access on machine where BNC proxy
server is set.
===[ Fix
Vendor has released a patched version - bnc-2.9.0.
The source of the patched version can be downloaded from:
http://www.gotbnc.com/files/bnc2.9.0.tar.gz
===[ PoC Exploit
Proof of concept code can be downloaded from http://security.lss.hr/en/PoC/
BNC status after PoC overflow:
----------------------
[root@laptop bnc2.8.9]# gdb ./bnc 11313
...
Program received signal SIGSEGV, Segmentation fault.
0x21212121 in ?? ()
...
eax 0x1 1
ecx 0x30 48
edx 0x30 48
ebx 0x21212121 555819297
esp 0xbffff790 0xbffff790
ebp 0x21212121 0x21212121
esi 0x21212121 555819297
edi 0x21212121 555819297
eip 0x21212121 0x21212121
eflags 0x210246 2163270
...
----------------------
After PoC overflow, BNC daemon dies, and all users will be disconnected,
so this vulnerability can also be used as an DoS (Denial of Service)
attack.
===[ Credits
Credits for this vulnerability goes to Leon Juranic.
===[ LSS Security Contact
LSS Security Team, <eXposed by LSS>
WWW : http://security.lss.hr
E-mail : security@xxxxxx
Tel : +385 1 6129 775