1 <!DOCTYPE HTML PUBLIC
"-//W3C//DTD HTML 3.2//EN">
4 <TITLE> [IRCServices] bug in ircservices and epona can crash services
6 <LINK REL=
"Index" HREF=
"index.html" >
7 <LINK REL=
"made" HREF=
"mailto:ircservices%40ircservices.za.net?Subject=%5BIRCServices%5D%20bug%20in%20ircservices%20and%20epona%20can%20crash%20services&In-Reply-To=">
8 <META NAME=
"robots" CONTENT=
"index,nofollow">
9 <META http-equiv=
"Content-Type" content=
"text/html; charset=us-ascii">
10 <LINK REL=
"Previous" HREF=
"002976.html">
11 <LINK REL=
"Next" HREF=
"002979.html">
13 <BODY BGCOLOR=
"#ffffff">
14 <H1>[IRCServices] bug in ircservices and epona can crash services
</H1>
16 <A HREF=
"mailto:ircservices%40ircservices.za.net?Subject=%5BIRCServices%5D%20bug%20in%20ircservices%20and%20epona%20can%20crash%20services&In-Reply-To="
17 TITLE=
"[IRCServices] bug in ircservices and epona can crash services">lucas at lucas-nussbaum.net
19 <I>Sun Jun
23 19:
08:
01 PDT
2002</I>
21 <LI>Previous message:
<A HREF=
"002976.html">[IRCServices] who should I send bug reports to ?
23 <LI>Next message:
<A HREF=
"002979.html">[IRCServices] Services
4.5.41 released
25 <LI> <B>Messages sorted by:
</B>
26 <a href=
"date.html#2978">[ date ]
</a>
27 <a href=
"thread.html#2978">[ thread ]
</a>
28 <a href=
"subject.html#2978">[ subject ]
</a>
29 <a href=
"author.html#2978">[ author ]
</a>
36 There's a bug in both ircservices and epona which can cause services to crash. Remote execution of code on the services account is theorically possible (it isn't likely, but you never know).
38 I won't detail the contents of the patch yet : I don't want to make all networks be crashed by users because of me ;o) I will just tell you that every user on your network can crash your services.
40 The bug was found by Aristotles (he is asleep right now, so I can't ask for me information to be able to credit him properly). Anyway, congratulations go to him :)
42 Andrew Church (for ircservices) and lara (for epona) were both contacted. They might release a new version fixing this in a more clever way soon.
45 <A HREF=
"http://www.lucas-nussbaum.net/epona-1.4.11+formatfix.diff">http://www.lucas-nussbaum.net/epona-
1.4.11+formatfix.diff
</A>
46 (please note that the bug is in ircservices code used by epona, so lara isn't to blame)
48 Patch for ircservices :
49 <A HREF=
"http://www.lucas-nussbaum.net/ircservices-4.5.40+formatfix.diff">http://www.lucas-nussbaum.net/ircservices-
4.5.40+formatfix.diff
</A>
51 To apply (example for epona) :
53 patch -p1
< epona-
1.4.11+formatfix.diff
55 The patch is very simple, and applies to some very old code, so you should be able to apply it to older versions too.
57 Other services based on ircservices might be vulnerable too.
58 Thales (IRC to MySQL gateway, see
<A HREF=
"http://www.lucas-nussbaum.net/thales/">http://www.lucas-nussbaum.net/thales/
</A> ), contains the vulnerable code but doesn't use it.
61 After contacting him, Andrew Church suggested the following patch :
63 ===================================================================
64 RCS file: /var/cvs-private/ircservices/send.c,v
65 retrieving revision
1.8.4.2
66 diff -u -r1.8
.4.2 send.c
67 --- send.c
7 Jan
2002 15:
35:
56 -
0000 1.8.4.2
68 +++ send.c
23 Jun
2002 16:
55:
36 -
0000
73 - snprintf(buf, sizeof(buf),
"NOTICE %s :%s
", dest, fmt);
74 - vsend_cmd(source, buf, args);
75 + vsnprintf(buf, sizeof(buf), fmt, args);
76 + send_cmd(source,
"NOTICE %s :%s
", dest, buf);
84 - snprintf(buf, sizeof(buf),
"PRIVMSG %s :%s
", dest, fmt);
85 - vsend_cmd(source, buf, args);
86 + vsnprintf(buf, sizeof(buf), fmt, args);
87 + send_cmd(source,
"PRIVMSG %s :%s
", dest, buf);
90 /*************************************************************************/
95 + vsnprintf(buf, sizeof(buf), fmt, args);
97 - snprintf(buf, sizeof(buf),
"GLOBOPS :%s
", fmt);
98 + send_cmd(source ? source : ServerName,
"GLOBOPS :%s
", buf);
100 - snprintf(buf, sizeof(buf),
"WALLOPS :%s
", fmt);
101 + send_cmd(source ? source : ServerName,
"WALLOPS :%s
", buf);
103 - vsend_cmd(source ? source : ServerName, buf, args);
106 /*************************************************************************/
108 So I let you choose which one you prefer ;)
120 <LI>Previous message:
<A HREF=
"002976.html">[IRCServices] who should I send bug reports to ?
122 <LI>Next message:
<A HREF=
"002979.html">[IRCServices] Services
4.5.41 released
124 <LI> <B>Messages sorted by:
</B>
125 <a href=
"date.html#2978">[ date ]
</a>
126 <a href=
"thread.html#2978">[ thread ]
</a>
127 <a href=
"subject.html#2978">[ subject ]
</a>
128 <a href=
"author.html#2978">[ author ]
</a>