[11058] in bugtraq
Re: ircd exploit in ircu based code (fwd)
daemon@ATHENA.MIT.EDU (Andrea Cocito)
Sat Jul 17 05:26:19 1999
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Message-Id: <l03130302b3b4b745213b@[212.216.224.111]>
Date: Fri, 16 Jul 1999 12:26:02 +0200
Reply-To: Andrea Cocito <blackye@UNDERNET.ORG>
From: Andrea Cocito <blackye@UNDERNET.ORG>
X-To: Matt Hallacy <poptix@INGS.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <Pine.LNX.4.05.9907152038030.24848-100000@cybernet.ings.com>
At 3:42 +0200 16-07-1999, Matt Hallacy wrote:
>Nemesi, this is present in 2.10.06, lulea-r, ann-arbor, plano, Gothenburq,
>and toronto are for sure suseptible (they crashed, heh) and thus the
>reason for the latest patch to the repository, nullchan.patch.
>
>It was fixed and patches were submitted to undernet-admins@undernet.org 3
>or 4 days ago, and since the public posting of it the nullchan.patch was
>sent to coder-com@undernet.org and the patch was added to the CVS.
It just didn't seem the same bug for how it was reported, now I looked at
it better and understood that it is.
The bug is the same that appears in a piece of code looking
different on Undernet's current codebase, it has been patched
with nullchan.patch at patchlevel 24 of the current source tree
available via cvs on coder-com.undernet.org. Version u2.10.06.24
and following of our codebase are thus immune, anything derivated
from previous versions isn't.
Excuse me I had not the time to warn about it the otehr networks and
to reply correctly at the report here, it was because I was busy
having to patch on the fly our 45 servers while some kid was having
fun disrupting the service, like this one:
Core was generated by `ircd.9905101130.'.
Program terminated with signal 11, Segmentation fault.
Cannot access memory at address 0x20047080.
#0 m_join (cptr=0x206800, sptr=0x206800, parc=2, parv=0x47310)
at channel.c:2454
(gdb) p sptr->name
$1 = "Pinetree", '\000' <repeats 55 times>
(gdb) p sptr->ip
$2 = {s_addr = 1025006872}
(gdb) p sptr->sockhost
$3 = "d185d183d.rochester.rr.com", '\000' <repeats 37 times>
(gdb) p sptr->username
$4 = "poptix\000\000\000\000"
(gdb)
Thanks Matt aka Pinetree!poptix@d185d183d.rochester.rr.com
Andrea aka Nemesi
