EFNet IRCd allows shell access to the IRC server
----------------------------------------------------------------------------
----
SUMMARY
EFNet IRCd hybrid-6 (all versions up to beta 58) can be exploited to gain
remote access to the
<http://foldoc.doc.ic.ac.uk/foldoc/foldoc.cgi?query=IRC> IRC server. In
most cases, the shell will be under the privileges of the 'irc' user.
DETAILS
The vulnerability is in the invite handling code (m_invite). In channels
with operators (ops) and modes +pi (private + invite-only), a channel
invitation is reported to all other operators. The buffer used to store
the invitation notice can overflow its boundaries by up to 15 bytes.
Steps to reproduce this exploit:
1. Client 1 (9chars!10chars@trivial) joins #199chars
2. Client 2 (trivial!trivial@trivial) joins #199chars
3. Client 1 sets mode #199chars +pio Client 2
4. Client 1 invites Client 3 (9chars!10chars@63chars) to #199chars
Note: client 1 and client 3 should not be from the same host.
Client #1's server = vulnerable IRC server (such as irc.arpa.com)
Client #2's server = trivial
Client #3's server = ComStud IRC server (such as irc.prison.net), because
we need it to allow shellcode chars in hostname.
Using the following spoofed host (59 chars):
shellcodeshellcodeshellcodeshellcodeshellcodeshellcode.AAAA
[The ComStud IRCd will check for a '.']
Here, EIP = 0x41414141 (AAAA). The other registers are negligible. The
hostlen is actually 63 bytes, but for this specific overflow, EIP is
overwritten at buf[54-58].
As for how to go about spoofing, you have two options:
1) Use the old DNS poison caching method
2) Use custom "fake binds" that will just pass on your shellcode as a
hostname in response to a DNS query.
Option #2 is the approach we will demonstrate (hostname.c generates the
shellcode used below). This will work fine as long as the IP/hostname
hasn't already been cached. Because these "fake binds" are pretty popular
(or have been in the past), they should be easy to come by and are outside
the scope of this advisory.
To sum up the necessary steps of the exploit: a client with the spoofed
hostname, connects to a ComStud IRCd server (such as irc.prison.net),
another client join the arbitrary client, and another client joins the
target IRCd hybrid-6 server (such as irc.arpa.com). Once the channel is
+pi (and your channel, ident, username, etc. are all the right length),
invite the client with the spoofed hostname. Fine-tune until you have
root.
ADDITIONAL INFORMATION
Exploit source code is available from:
<http://www.w00w00.org/files/exploits/ircdexp/>
http://www.w00w00.org/files/exploits/ircdexp/
This vulnerability has been discovered by:
<mailto:[EMAIL PROTECTED]> Matt Conover (Shok).
========================================
-------
AFLHI 058009990407128029/089802
milis ini didukung oleh :
>> http://www.indolinux.com - dunia linux indonesia
-------------------------------------------------------------------
untuk berhenti kirim email ke [EMAIL PROTECTED]
untuk melihat peraturan kirim email ke [EMAIL PROTECTED]
arsip berada di http://www.mail-archive.com/[email protected]
