qobaiashi
03/02/05, 01:35
> Severity: High
> Title: ngIRCd: Buffer overflow
> Date: January 28, 2005
> Bugs: #79705
> ID: 200501-40
>
> - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
>
> Synopsis
> ========
>
> ngIRCd is vulnerable to a buffer overflow that can be used to crash the
> daemon and possibly execute arbitrary code.
after a quick check IMHO the bug is not exploitable (except for dos):
to reproduce the bug do:
/j #test
/mode #test +I aaax300here@aaax128here
and watch it go down in:
Program received signal SIGSEGV, Segmentation fault.
0x400c5b8c in memcpy () from /lib/libc.so.6
(gdb) info all-registers
eax 0x8067e2c 134643244
ecx 0xffffad7f -21121
edx 0x80650ca 134631626
ebx 0xffffff53 -173
esp 0xbfffeb24 0xbfffeb24
ebp 0xbfffeb58 0xbfffeb58
esi 0x806a29e 134652574
edi 0x806d000 134664192
eip 0x400c5b8c 0x400c5b8c
Dump of assembler code for function memcpy:
0x400c5b20 <memcpy>: push %edi
0x400c5b21 <memcpy+1>: push %esi
0x400c5b22 <memcpy+2>: mov 0xc(%esp,1),%edi
0x400c5b26 <memcpy+6>: mov 0x10(%esp,1),%esi
0x400c5b2a <memcpy+10>: mov 0x14(%esp,1),%ecx
0x400c5b2e <memcpy+14>: mov %edi,%eax
0x400c5b30 <memcpy+16>: cld
0x400c5b31 <memcpy+17>: cmp $0x20,%ecx
0x400c5b34 <memcpy+20>: jbe 0x400c5b8c <memcpy+108>
0x400c5b36 <memcpy+22>: neg %eax
0x400c5b38 <memcpy+24>: and $0x3,%eax
0x400c5b3b <memcpy+27>: sub %eax,%ecx
0x400c5b3d <memcpy+29>: xchg %eax,%ecx
0x400c5b3e <memcpy+30>: repz movsb %ds:(%esi),%es:(%edi)
0x400c5b40 <memcpy+32>: mov %eax,%ecx
0x400c5b42 <memcpy+34>: sub $0x20,%ecx
0x400c5b45 <memcpy+37>: js 0x400c5b85 <memcpy+101>
0x400c5b47 <memcpy+39>: mov (%edi),%eax
0x400c5b49 <memcpy+41>: mov 0x1c(%edi),%edx
0x400c5b4c <memcpy+44>: sub $0x20,%ecx
0x400c5b4f <memcpy+47>: mov (%esi),%eax
0x400c5b51 <memcpy+49>: mov 0x4(%esi),%edx
0x400c5b54 <memcpy+52>: mov %eax,(%edi)
0x400c5b56 <memcpy+54>: mov %edx,0x4(%edi)
0x400c5b59 <memcpy+57>: mov 0x8(%esi),%eax
0x400c5b5c <memcpy+60>: mov 0xc(%esi),%edx
0x400c5b5f <memcpy+63>: mov %eax,0x8(%edi)
0x400c5b62 <memcpy+66>: mov %edx,0xc(%edi)
0x400c5b65 <memcpy+69>: mov 0x10(%esi),%eax
0x400c5b68 <memcpy+72>: mov 0x14(%esi),%edx
0x400c5b6b <memcpy+75>: mov %eax,0x10(%edi)
0x400c5b6e <memcpy+78>: mov %edx,0x14(%edi)
0x400c5b71 <memcpy+81>: mov 0x18(%esi),%eax
0x400c5b74 <memcpy+84>: mov 0x1c(%esi),%edx
0x400c5b77 <memcpy+87>: mov %eax,0x18(%edi)
0x400c5b7a <memcpy+90>: mov %edx,0x1c(%edi)
0x400c5b7d <memcpy+93>: lea 0x20(%esi),%esi
0x400c5b80 <memcpy+96>: lea 0x20(%edi),%edi
0x400c5b83 <memcpy+99>: jns 0x400c5b49 <memcpy+41>
0x400c5b85 <memcpy+101>: add $0x20,%ecx
0x400c5b88 <memcpy+104>: mov 0xc(%esp,1),%eax
0x400c5b8c <memcpy+108>: repz movsb %ds:(%esi),%es:(%edi)
0x400c5b8e <memcpy+110>: pop %esi
0x400c5b8f <memcpy+111>: pop %edi
0x400c5b90 <memcpy+112>: ret
0x400c5b91 <memcpy+113>: nop
0x400c5b92 <memcpy+114>: nop
0x400c5b93 <memcpy+115>: nop
0x400c5b94 <memcpy+116>: nop
0x400c5b95 <memcpy+117>: nop
0x400c5b96 <memcpy+118>: nop
0x400c5b97 <memcpy+119>: nop
0x400c5b98 <memcpy+120>: nop
0x400c5b99 <memcpy+121>: nop
0x400c5b9a <memcpy+122>: nop
0x400c5b9b <memcpy+123>: nop
0x400c5b9c <memcpy+124>: nop
0x400c5b9d <memcpy+125>: nop
0x400c5b9e <memcpy+126>: nop
0x400c5b9f <memcpy+127>: nop
End of assembler dump.
(gdb)
yours
-q
> Title: ngIRCd: Buffer overflow
> Date: January 28, 2005
> Bugs: #79705
> ID: 200501-40
>
> - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
>
> Synopsis
> ========
>
> ngIRCd is vulnerable to a buffer overflow that can be used to crash the
> daemon and possibly execute arbitrary code.
after a quick check IMHO the bug is not exploitable (except for dos):
to reproduce the bug do:
/j #test
/mode #test +I aaax300here@aaax128here
and watch it go down in:
Program received signal SIGSEGV, Segmentation fault.
0x400c5b8c in memcpy () from /lib/libc.so.6
(gdb) info all-registers
eax 0x8067e2c 134643244
ecx 0xffffad7f -21121
edx 0x80650ca 134631626
ebx 0xffffff53 -173
esp 0xbfffeb24 0xbfffeb24
ebp 0xbfffeb58 0xbfffeb58
esi 0x806a29e 134652574
edi 0x806d000 134664192
eip 0x400c5b8c 0x400c5b8c
Dump of assembler code for function memcpy:
0x400c5b20 <memcpy>: push %edi
0x400c5b21 <memcpy+1>: push %esi
0x400c5b22 <memcpy+2>: mov 0xc(%esp,1),%edi
0x400c5b26 <memcpy+6>: mov 0x10(%esp,1),%esi
0x400c5b2a <memcpy+10>: mov 0x14(%esp,1),%ecx
0x400c5b2e <memcpy+14>: mov %edi,%eax
0x400c5b30 <memcpy+16>: cld
0x400c5b31 <memcpy+17>: cmp $0x20,%ecx
0x400c5b34 <memcpy+20>: jbe 0x400c5b8c <memcpy+108>
0x400c5b36 <memcpy+22>: neg %eax
0x400c5b38 <memcpy+24>: and $0x3,%eax
0x400c5b3b <memcpy+27>: sub %eax,%ecx
0x400c5b3d <memcpy+29>: xchg %eax,%ecx
0x400c5b3e <memcpy+30>: repz movsb %ds:(%esi),%es:(%edi)
0x400c5b40 <memcpy+32>: mov %eax,%ecx
0x400c5b42 <memcpy+34>: sub $0x20,%ecx
0x400c5b45 <memcpy+37>: js 0x400c5b85 <memcpy+101>
0x400c5b47 <memcpy+39>: mov (%edi),%eax
0x400c5b49 <memcpy+41>: mov 0x1c(%edi),%edx
0x400c5b4c <memcpy+44>: sub $0x20,%ecx
0x400c5b4f <memcpy+47>: mov (%esi),%eax
0x400c5b51 <memcpy+49>: mov 0x4(%esi),%edx
0x400c5b54 <memcpy+52>: mov %eax,(%edi)
0x400c5b56 <memcpy+54>: mov %edx,0x4(%edi)
0x400c5b59 <memcpy+57>: mov 0x8(%esi),%eax
0x400c5b5c <memcpy+60>: mov 0xc(%esi),%edx
0x400c5b5f <memcpy+63>: mov %eax,0x8(%edi)
0x400c5b62 <memcpy+66>: mov %edx,0xc(%edi)
0x400c5b65 <memcpy+69>: mov 0x10(%esi),%eax
0x400c5b68 <memcpy+72>: mov 0x14(%esi),%edx
0x400c5b6b <memcpy+75>: mov %eax,0x10(%edi)
0x400c5b6e <memcpy+78>: mov %edx,0x14(%edi)
0x400c5b71 <memcpy+81>: mov 0x18(%esi),%eax
0x400c5b74 <memcpy+84>: mov 0x1c(%esi),%edx
0x400c5b77 <memcpy+87>: mov %eax,0x18(%edi)
0x400c5b7a <memcpy+90>: mov %edx,0x1c(%edi)
0x400c5b7d <memcpy+93>: lea 0x20(%esi),%esi
0x400c5b80 <memcpy+96>: lea 0x20(%edi),%edi
0x400c5b83 <memcpy+99>: jns 0x400c5b49 <memcpy+41>
0x400c5b85 <memcpy+101>: add $0x20,%ecx
0x400c5b88 <memcpy+104>: mov 0xc(%esp,1),%eax
0x400c5b8c <memcpy+108>: repz movsb %ds:(%esi),%es:(%edi)
0x400c5b8e <memcpy+110>: pop %esi
0x400c5b8f <memcpy+111>: pop %edi
0x400c5b90 <memcpy+112>: ret
0x400c5b91 <memcpy+113>: nop
0x400c5b92 <memcpy+114>: nop
0x400c5b93 <memcpy+115>: nop
0x400c5b94 <memcpy+116>: nop
0x400c5b95 <memcpy+117>: nop
0x400c5b96 <memcpy+118>: nop
0x400c5b97 <memcpy+119>: nop
0x400c5b98 <memcpy+120>: nop
0x400c5b99 <memcpy+121>: nop
0x400c5b9a <memcpy+122>: nop
0x400c5b9b <memcpy+123>: nop
0x400c5b9c <memcpy+124>: nop
0x400c5b9d <memcpy+125>: nop
0x400c5b9e <memcpy+126>: nop
0x400c5b9f <memcpy+127>: nop
End of assembler dump.
(gdb)
yours
-q