allow::options::noident security issue

News about the UnrealIRCd project, including release announcements
Post Reply
Syzop
UnrealIRCd head coder
Posts: 2112
Joined: Sat Mar 06, 2004 8:57 pm
Location: .nl
Contact:

allow::options::noident security issue

Post by Syzop »

A security issue was found, which is exploitable (crash) when allow::options::noident is in use.
The security advisory is below. (this news item is a re-post, not an update)

SECURITY ADVISORY
==================

A serious buffer overflow issue has been discovered in UnrealIRCd. This issue can cause the IRC server to crash. It is not clear if this issue can lead to remote code execution.

==[ AFFECTED VERSIONS ]==
This bug can ONLY be triggered if allow::options::noident is in use. By default, this is not the case, and it's not a very common option to use.
To check for this, you can search for "noident" (without quotes) in your config files (such as unrealircd.conf). If you don't use this option, you are safe, and there's no need to upgrade. If you use the noident option, and you're using Unreal3.2.8 or earlier (this issue goes back to 3.2beta11), then you are affected.

==[ PROBLEM ]==
A buffer in the code which handles user authorization is copied without sufficient length checks, causing a buffer overflow.
This bug happens BEFORE the user is online. In other words: even if you have a password protected server, or only allow certain ip/hosts in, and you use allow::options::noident, then this bug can still be triggered.

There has been one report of this bug being abused by "bad guys" to crash the server, so if you're using allow::options::noident then it's highly recommended to either implement the WORKAROUND or FIX as soon as possible.

==[ WORKAROUND ]==
The workaround is simply to remove noident from the allow::options and /REHASH.
For example, if you have:

Code: Select all

allow {
        ip "*abc@*";
        hostname "*abc@*";
        class clients;
        maxperip 3;
        options { noident; }; // MARK
};
Then simply remove the line marked with MARK, and /REHASH the IRCd.

Naturally, if you rely on the noident feature on your network/IRCd, then this may not be an option for you. Check out the FIX in next section, instead.

==[ FIX ]==
Thanks to having a (partially) modular IRC server, we have created a "hot fix" utility that will fix the issue WITHOUT requiring a server restart. All you will have to do is install it and rehash.
This patch can be used on UnrealIRCd versions 3.2.3 - 3.2.8. If you are using any older version (unsupported), then we suggest you to upgrade to the latest version or implement the workaround.

*NIX:
Download and run the hotfix utility, available from these locations:
http://www.unrealircd.com/upd/unrealpatch328
http://www.vulnscan.org/unr/unrealpatch328

EXAMPLE:

Code: Select all

 cd ~/Unreal3.2 && wget http://www.unrealircd.com/upd/unrealpatch328 && \
 chmod +x unrealpatch328 && ./unrealpatch328
(or use 'fetch' instead of 'wget', or any other download utility)

Alternatively if that did not work, try this .tar.gz:
http://www.unrealircd.com/upd/qpatch.tar.gz OR
http://www.vulnscan.org/unr/qpatch.tar.gz

Extract it, cd to the qpatch directory and run ./doinstall

Windows:
Unfortunately, we did not have the resources to make a hotfix utility for
Windows, so you will have to either implement the workaround or upgrade
your UnrealIRCd to 3.2.8.1:
http://www.unrealircd.com/downloads/unreal/win (Windows)
http://www.unrealircd.com/downloads/unreal/winssl (Windows SSL)

==[ NEW VERSION ]==
While for existing installations you can use the FIX as explained above.
For fresh installs, we've released a new Unreal version called 3.2.8.1,
which can be downloaded from http://www.unrealircd.com/

MD5 checksums:
86212ebf6feab6cc57a4ebba99632db2 qpatch.tar.gz
c855fd1fe1cb2f08095bf7cd8f2f1120 unrealpatch328
7b741e94e867c0a7370553fd01506c66 Unreal3.2.8.1.tar.gz
5a6941385cd04f19d9f4241e5c912d18 Unreal3.2.8.1.exe
a54eafa6861b6219f4f28451450cdbd3 Unreal3.2.8.1-SSL.exe

SHA1 checksums:
6654bccd941ea038e9bef847703b25450b739ba1 qpatch.tar.gz
766118e3cdad454dc189a8bb06cbc8ff55cdb7f7 unrealpatch328
363c3c995bb38cf601f409610ce1937a0002c419 Unreal3.2.8.1.tar.gz
d2e73094149bbcc9238b111f12f30fa8f8a463cc Unreal3.2.8.1.exe
336972a8201a67be2bcbb012f66abd11d19ade46 Unreal3.2.8.1-SSL.exe

==[ TIMELINE ]==
Times are UTC
2009-04-10 Bug reported
2009-04-11 Additional information requested
2009-04-12 Information provided
2009-04-12 Bug traced, working on fix
2009-04-13 Fix & binaries ready. Public announcement

==[ SOURCE ]==
A copy (and any updates) of this advisory is available at:
http://www.unrealircd.com/txt/unrealsec ... 090413.txt
buffulo
Posts: 0
Joined: Wed Apr 13, 2011 8:15 pm

Re: allow::options::noident security issue

Post by buffulo »

A while back I had an issue with was causing the server to crash consistently. I was able to resolve this by reinstalling everything. I am wondering if this security issue may have been the real culprit. I do appreciate the work around, and will get5 on it immediately. Thank you very much for this information.
Post Reply