Synopsis : Potential heap exhaustion and an integer overflow
Product : PTnet IRCD
Version : 1.6, 1.5 (partially)
Date : February, 3rd 2005
Author : blackfile
o introduction --
The PTnet IRCD is a DALnet dreamforge fork. This IRCD has been hardly
modified to fit the network user's needs. Since version 1.5 only some
channels
were locked due to security measures. But from version 1.6 onwards this
problem
seem to be somewhat problematic. Some channels like #PTnet, #PTnoticias and
all
#*.log channels were locked.
Note: One should keep in mind that you need special privileges to join
these channels.
o details --
Since PTnet has a closed source philosophy and I don't have access to
neither the IRCD's binary nor the sources, I had to make some hard guesses
and
some reverse engineering. So it will seem normal if some of my guesses
and/or
ideas about this problem could be wrong. When one attempts to join one of
these
charmed channels and if not properly identified as an IRCOP a warning is
displayed
(Permission denied- You do not have the proper IRC operator privileges).
Although,
the channel is opened with no one inside, so a few Kilobytes of memory are
allocated
and right after this an integer that says how many channels have been
opened is
incremented by one. You can confirm if the channel is opened by typing
(/quote MODE #channel).
Technical overview:
See channel.c/m_join() :
At the beginning of the for() loop statement there are a few conditions
that
check the channel's length and other misc operations. Just after those
tests another
is made to check if the channel we are joining is a charmed channel or
not. But,
instead of returing in case of an error, the loop is broken and the rest of
the
code is executed and the channel is successfully opened with no one inside
of it.
o exploitation --
Just create a bunch of bots and start opening random #*.log channels.
o proof-of-concept --
Soon.
o impact --
If properly exploited, the process runs out of heap space and therefore
making the IRCD call the outofmemory() function... which will lead to a
hell-freezing
restart.
o disclaimer --
This document may not be (re)distributed. This file is released "AS IS"
without
any kind of warranties. The author may not be held responsable by one's
misusage of this information and/or program(s).
This information and/or source code is provided for
educational purposes only.
o vendor notification --
None, due to their negligence towards the users, none will be made.
o final notes --
Open your radio. There are moths everywhere, I'm sure of it.
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
