[11377] in bugtraq
Re: w00w00's efnet ircd advisory (exploit included)
daemon@ATHENA.MIT.EDU (Jonathan R. Lusky)
Mon Aug 16 18:42:07 1999
Mime-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Message-Id: <199908150409.AAA31795@blown-rat.blown.net>
Date: Sun, 15 Aug 1999 00:09:21 -0400
Reply-To: "Jonathan R. Lusky" <lusky@BLOWN.NET>
From: "Jonathan R. Lusky" <lusky@BLOWN.NET>
X-To: shok@CANNABIS.DATAFORCE.NET
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <Pine.LNX.3.95.990813105919.12840A-101000@cannabis.dataforce.net>
from Shok at "Aug 13, 99 11:01:58 am"
Shok writes:
> [http://www.w00w00.org, comments to shok@dataforce.net]
>
> SUMMARY
> efnet ircd hybrid-6 (up to beta 58) have a vulnerability that can allow
> remote access to the irc server. In most cases, you'll gain privileges of
> the 'irc' user.
The buffer mentioned in the advisory was introduced in ircd-hybrid-6b17
and fixed in ircd-hybrid-6b75. All EFnet servers have upgraded or patched.
Hybrid-6 is still in semi-private beta and has not been released publicly.
The current release version of Hybrid is ircd-hybrid-5.3p7, which is not
vulnerable.
The bug report address for Hybrid is ircd-hybrid@the-project.org.
[ insert notifying-the-author speech--first we heard about someone finding
a way to exploit this overflow was your bugtraq posting. ]
There is also a mailing list for general discussion of Hybrid. To subscribe
to the Hybrid List, send email to hybrid-request@the-project.org with
the subject "subscribe".
> COMMENTS
> This vulnerability was discovered by jduck and stranjer of w00w00 at
> least 2 months ago. After discussing the vulnerability, it was reported
> to Dianora by jduck and fixed. Hopefully the vulnerable irc servers have
> been fixed. If not, it's unfortunate Dianora didn't notify the vulnerable
> irc servers or they didn't take these 2 months to fix themselves (note:
> we didn't wait that long on purpose.. we were just sidetracked with a
> million other things).
>
> DESCRIPTION
> The vulnerability is in the invite handling code (m_invite). In a
> channels with operators (ops) and modes +pi (paranoid + invite-only), a
> channel invitation is reported to all other operators. The buffer used to
> store the invitation notice can overflow its boundaries by up to 15
> bytes.
