A format string vulnerability has been found in the Unread v3.1.1 IRC server. Fix available here.
bed21eac274bf0fa1b5f19e58353c703fb22d0623a1825013bd41eb684778f76
---------------------------------------------------------------------------
Web: https://qb0x.net Author: Gabriel A. Maggiotti
Date: Febrary 25, 2002 E-mail: gmaggiot@ciudad.com.ar
---------------------------------------------------------------------------
General Info
------------
Problem Type : Format String Vulnerability
Product : Unreal irc server
Version : tested in 3.1.1
Vendor : www.unrealircd.org
Summary
-------
A security vulnerability has been found in the popular Unreal irc server.
Unreal3.1.1 has a format string vuln in Cio_PrintF(...) function.
This function is in /src/cio_main.c file
Piece of code:
va_start(argptr, InBuf);
Len = vsprintf(Buffer, InBuf, argptr);
va_end(argptr);
The problem is with InBuf, if %p.%p.%p.%n is written in InBuf a segfault
is produced, the program crashes when it tries to copy the value of eax
to the address of edx.
SOLUTION:
Don't forget to use the proper format of svprintf:
int vprintf(const char *format, va_list ap);
---------------------------------------------------------------------------
research-list@qb0x.net is dedicated to interactively researching vulnerab-
ilities, report potential or undeveloped holes in any kind of computer system.
To subscribe to research-list@qb0x.ne t send a blank email to
research-list-subscribe@qb0x.net. More help available sending an email
to research-list-help@qb0x.net.
Note: the list doesn't allow html, it will be stripped from messages.
---------------------------------------------------------------------------