Page 1 of 1

UnrealIRCd 4.0.9 released

Posted: Sat Dec 03, 2016 8:12 am
by Syzop
An issue was discovered in the UnrealIRCd 4.0.x series which allows you to create a "ghost" user. This requires a minimum of two linked UnrealIRCd 4.0.x servers. A "ghost" is a user which does not really exist. As with most "ghost" bugs in the IRC protocol it will cause some confusion/annoyances to users but does not lead to any privilege escalation. In this case, however, it can also result in UnrealIRCd failing to free resources for the user. A memory leak of 400 to 4000 bytes per user. The memory is only freed after UnrealIRCd is restarted. When the bug is abused it is quite noticeable as for each successful attempt IRCOps would see a KILL message. To put things in perspective: about 25,000 connects are required to consume 100 MB of memory. Ultimately, an attacker may cause UnrealIRCd to consume so much memory that the IRCd will terminate.

We have released UnrealIRCd 4.0.9 which addresses this issue. There is also a "hot fix" available so you can patch your server without requiring an UnrealIRCd restart. See below.

We recommend you to apply the "hot fix" or upgrade somewhere this weekend. It's better to do a peaceful planned upgrade soon than having to rush an upgrade later while people are abusing this bug.

Affected versions
All UnrealIRCd 4.0.x versions before 4.0.9

How to get the fix/patch?
Windows users should download and install UnrealIRCd 4.0.9.

Linux/BSD/.. users can also install 4.0.9 OR you can choose to patch UnrealIRCd on-the-fly without a restart.
Since the patch is usually the easiest and most user friendly solution, we recommend it.
Run the following on the IRC shell:

Code: Select all

wget && sh ghostpatcher

Have there been any reports of these bugs being abused by anyone?
Not yet.

Should I upgrade?
The attack is very detectable, but we do recommend an upgrade/hot-fix. It's better to do a peaceful planned upgrade than having to rush an upgrade later while people are abusing this bug.

Are there any workarounds so I don't have to upgrade?
On *NIX, use the hot fix / patch so you don't need to restart UnrealIRCd.

Can I upgrade without restarting the IRC server?
On Windows no, but on Linux/BSD/.. yes you can. Run the following on the shell:

Code: Select all

wget && sh ghostpatcher
I don't like the patch script. How I can fix this by hand?
Open src/modules/m_nick.c in an editor. Around line 478 change:

Code: Select all

    (void)strlcpy(sptr->name, nick, NICKLEN);

Code: Select all

    (void)strlcpy(sptr->name, nick, NICKLEN+1);
Then save, recompile and rehash your UnrealIRCd.
This is exactly the same as the patch script would do.

How serious is this bug?
The bug leads to resource consumption and some user confusion. For a full explanation see the beginning of this announcement. Then, make your own decision.

When were these issues reported?
This issue was reported less than 24 hours before the fix release.

Updates to this advisory
Small corrections/updates will be posted here, if any.

Re: UnrealIRCd 4.0.9 released

Posted: Mon Dec 05, 2016 7:34 pm
by Syzop
Someone on IRC asked:
when running ghostpatcher, i get the following:

Code: Select all

m_nick.c: In function ‘m_uid’:
m_nick.c:486:9: warning: ignoring return value of ‘do_cmd’, declared with attribute warn_unused_result [-Wunused-result]
   do_cmd(cptr, sptr, "USER", parc - 3, &parv[3]);
is that expected?
it appears to apply and rehash properly
Yes, those are harmless.

The same warnings are/were present during a regular UnrealIRCd installation.. however they probably scrolled by too fast for you to be noticed ;)