[IRCServices] bug in ircservices and epona can crash services

Lucas Nussbaum lucas at lucas-nussbaum.net
Sun Jun 23 19:08:01 PDT 2002

Previous message: [IRCServices] who should I send bug reports to ?
Next message: [IRCServices] Services 4.5.41 released
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi,

There's a bug in both ircservices and epona which can cause services to crash. Remote execution of code on the services account is theorically possible (it isn't likely, but you never know).

I won't detail the contents of the patch yet : I don't want to make all networks be crashed by users because of me ;o) I will just tell you that every user on your network can crash your services.

The bug was found by Aristotles (he is asleep right now, so I can't ask for me information to be able to credit him properly). Anyway, congratulations go to him :)

Andrew Church (for ircservices) and lara (for epona) were both contacted. They might release a new version fixing this in a more clever way soon.

Patch for epona :
http://www.lucas-nussbaum.net/epona-1.4.11+formatfix.diff
(please note that the bug is in ircservices code used by epona, so lara isn't to blame)

Patch for ircservices :
http://www.lucas-nussbaum.net/ircservices-4.5.40+formatfix.diff

To apply (example for epona) :
cd epona-1.4.11
patch -p1 < epona-1.4.11+formatfix.diff

The patch is very simple, and applies to some very old code, so you should be able to apply it to older versions too.

Other services based on ircservices might be vulnerable too.
Thales (IRC to MySQL gateway, see http://www.lucas-nussbaum.net/thales/ ), contains the vulnerable code but doesn't use it.


After contacting him, Andrew Church suggested the following patch :
Index: send.c
===================================================================
RCS file: /var/cvs-private/ircservices/send.c,v
retrieving revision 1.8.4.2
diff -u -r1.8.4.2 send.c
--- send.c	7 Jan 2002 15:35:56 -0000	1.8.4.2
+++ send.c	23 Jun 2002 16:55:36 -0000
@@ -100,8 +100,8 @@
     char buf[BUFSIZE];
 
     va_start(args, fmt);
-    snprintf(buf, sizeof(buf), "NOTICE %s :%s", dest, fmt);
-    vsend_cmd(source, buf, args);
+    vsnprintf(buf, sizeof(buf), fmt, args);
+    send_cmd(source, "NOTICE %s :%s", dest, buf);
 }
 
 
@@ -195,8 +195,8 @@
     char buf[BUFSIZE];
 
     va_start(args, fmt);
-    snprintf(buf, sizeof(buf), "PRIVMSG %s :%s", dest, fmt);
-    vsend_cmd(source, buf, args);
+    vsnprintf(buf, sizeof(buf), fmt, args);
+    send_cmd(source, "PRIVMSG %s :%s", dest, buf);
 }
 
 /*************************************************************************/
@@ -258,12 +258,12 @@
     char buf[BUFSIZE];
 
     va_start(args, fmt);
+    vsnprintf(buf, sizeof(buf), fmt, args);
 #ifdef IRC_DALNET
-    snprintf(buf, sizeof(buf), "GLOBOPS :%s", fmt);
+    send_cmd(source ? source : ServerName, "GLOBOPS :%s", buf);
 #else
-    snprintf(buf, sizeof(buf), "WALLOPS :%s", fmt);
+    send_cmd(source ? source : ServerName, "WALLOPS :%s", buf);
 #endif
-    vsend_cmd(source ? source : ServerName, buf, args);
 }
 
 /*************************************************************************/

So I let you choose which one you prefer ;)

Bye,

lucas

Previous message: [IRCServices] who should I send bug reports to ?
Next message: [IRCServices] Services 4.5.41 released
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]