--------------------------------------------------------------------------- Web: http://qb0x.net Author: Gabriel A. Maggiotti Date: Febrary 25, 2002 E-mail: gmaggiotat_private --------------------------------------------------------------------------- General Info ------------ Problem Type : Format String Vulnerability Product : Unreal irc server Version : tested in 3.1.1 Vendor : www.unrealircd.org Summary ------- A security vulnerability has been found in the popular Unreal irc server. Unreal3.1.1 has a format string vuln in Cio_PrintF(...) function. This function is in /src/cio_main.c file Piece of code: va_start(argptr, InBuf); Len = vsprintf(Buffer, InBuf, argptr); va_end(argptr); The problem is with InBuf, if %p.%p.%p.%n is written in InBuf a segfault is produced, the program crashes when it tries to copy the value of eax to the address of edx. SOLUTION: Don't forget to use the proper format of svprintf: int vprintf(const char *format, va_list ap); --------------------------------------------------------------------------- research-listat_private is dedicated to interactively researching vulnerab- ilities, report potential or undeveloped holes in any kind of computer system. To subscribe to research-listat_private t send a blank email to research-list-subscribeat_private More help available sending an email to research-list-helpat_private Note: the list doesn't allow html, it will be stripped from messages. ---------------------------------------------------------------------------
This archive was generated by hypermail 2b30 : Mon Feb 25 2002 - 17:36:22 PST