> Severity: High > Title: ngIRCd: Buffer overflow > Date: January 28, 2005 > Bugs: #79705 > ID: 200501-40 > > - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - > > Synopsis > ======== > > ngIRCd is vulnerable to a buffer overflow that can be used to crash the > daemon and possibly execute arbitrary code. after a quick check IMHO the bug is not exploitable (except for dos): to reproduce the bug do: /j #test /mode #test +I aaax300here@aaax128here and watch it go down in: Program received signal SIGSEGV, Segmentation fault. 0x400c5b8c in memcpy () from /lib/libc.so.6 (gdb) info all-registers eax 0x8067e2c 134643244 ecx 0xffffad7f -21121 edx 0x80650ca 134631626 ebx 0xffffff53 -173 esp 0xbfffeb24 0xbfffeb24 ebp 0xbfffeb58 0xbfffeb58 esi 0x806a29e 134652574 edi 0x806d000 134664192 eip 0x400c5b8c 0x400c5b8c Dump of assembler code for function memcpy: 0x400c5b20 <memcpy>: push %edi 0x400c5b21 <memcpy+1>: push %esi 0x400c5b22 <memcpy+2>: mov 0xc(%esp,1),%edi 0x400c5b26 <memcpy+6>: mov 0x10(%esp,1),%esi 0x400c5b2a <memcpy+10>: mov 0x14(%esp,1),%ecx 0x400c5b2e <memcpy+14>: mov %edi,%eax 0x400c5b30 <memcpy+16>: cld 0x400c5b31 <memcpy+17>: cmp $0x20,%ecx 0x400c5b34 <memcpy+20>: jbe 0x400c5b8c <memcpy+108> 0x400c5b36 <memcpy+22>: neg %eax 0x400c5b38 <memcpy+24>: and $0x3,%eax 0x400c5b3b <memcpy+27>: sub %eax,%ecx 0x400c5b3d <memcpy+29>: xchg %eax,%ecx 0x400c5b3e <memcpy+30>: repz movsb %ds:(%esi),%es:(%edi) 0x400c5b40 <memcpy+32>: mov %eax,%ecx 0x400c5b42 <memcpy+34>: sub $0x20,%ecx 0x400c5b45 <memcpy+37>: js 0x400c5b85 <memcpy+101> 0x400c5b47 <memcpy+39>: mov (%edi),%eax 0x400c5b49 <memcpy+41>: mov 0x1c(%edi),%edx 0x400c5b4c <memcpy+44>: sub $0x20,%ecx 0x400c5b4f <memcpy+47>: mov (%esi),%eax 0x400c5b51 <memcpy+49>: mov 0x4(%esi),%edx 0x400c5b54 <memcpy+52>: mov %eax,(%edi) 0x400c5b56 <memcpy+54>: mov %edx,0x4(%edi) 0x400c5b59 <memcpy+57>: mov 0x8(%esi),%eax 0x400c5b5c <memcpy+60>: mov 0xc(%esi),%edx 0x400c5b5f <memcpy+63>: mov %eax,0x8(%edi) 0x400c5b62 <memcpy+66>: mov %edx,0xc(%edi) 0x400c5b65 <memcpy+69>: mov 0x10(%esi),%eax 0x400c5b68 <memcpy+72>: mov 0x14(%esi),%edx 0x400c5b6b <memcpy+75>: mov %eax,0x10(%edi) 0x400c5b6e <memcpy+78>: mov %edx,0x14(%edi) 0x400c5b71 <memcpy+81>: mov 0x18(%esi),%eax 0x400c5b74 <memcpy+84>: mov 0x1c(%esi),%edx 0x400c5b77 <memcpy+87>: mov %eax,0x18(%edi) 0x400c5b7a <memcpy+90>: mov %edx,0x1c(%edi) 0x400c5b7d <memcpy+93>: lea 0x20(%esi),%esi 0x400c5b80 <memcpy+96>: lea 0x20(%edi),%edi 0x400c5b83 <memcpy+99>: jns 0x400c5b49 <memcpy+41> 0x400c5b85 <memcpy+101>: add $0x20,%ecx 0x400c5b88 <memcpy+104>: mov 0xc(%esp,1),%eax 0x400c5b8c <memcpy+108>: repz movsb %ds:(%esi),%es:(%edi) 0x400c5b8e <memcpy+110>: pop %esi 0x400c5b8f <memcpy+111>: pop %edi 0x400c5b90 <memcpy+112>: ret 0x400c5b91 <memcpy+113>: nop 0x400c5b92 <memcpy+114>: nop 0x400c5b93 <memcpy+115>: nop 0x400c5b94 <memcpy+116>: nop 0x400c5b95 <memcpy+117>: nop 0x400c5b96 <memcpy+118>: nop 0x400c5b97 <memcpy+119>: nop 0x400c5b98 <memcpy+120>: nop 0x400c5b99 <memcpy+121>: nop 0x400c5b9a <memcpy+122>: nop 0x400c5b9b <memcpy+123>: nop 0x400c5b9c <memcpy+124>: nop 0x400c5b9d <memcpy+125>: nop 0x400c5b9e <memcpy+126>: nop 0x400c5b9f <memcpy+127>: nop End of assembler dump. (gdb) yours -q