‘Unreal IRCd Format String Vulnerability’

Summary

Unreal IRCd is an IRC server based on the branch of IRCu called Dreamforge, formerly used by the DALnet IRC Network. A format string vulnerability has been discovered in the product, that allows a remote attacker to cause the program to crash whilst executing arbitrary code.’

Credit:

‘The information has been provided by Gabriel A. Maggiotti.’


Details

Vulnerable systems:
Unreal IRCd version 3.1.1

Immune systems:
Unreal IRCd version 3.2 beta

A security vulnerability has been found in Unreal IRCd server. Unreal IRCd has a format string vulnerability in Cio_PrintF(…) function. This function is in /src/cio_main.c file

Piece of code:
        va_start(argptr, InBuf);
        Len = vsprintf(Buffer, InBuf, argptr);
        va_end(argptr);

The problem is with InBuf, if %p.%p.%p.%n is written in InBuf a segfault is produced, the program crashes when it tries to copy the value of eax to the address of edx.’

Categories: UNIX