Advisory -- Possible remote exploit from rogue server, exploit exists.
Summary -- ircII clients generally trust the server not to send it garbage.
Validity checking on data coming from the server tends to be weak.
If a rogue server sends us a ctcp request from an extremely large
nickname (over about 512 bytes), epic may attempt to alloca() a
negative value, which under gcc will return a invalid pointer the
contents of which will then be overwritten.
Extent -- All versions of epic4, before epic4pre2.002 are not vulnerable
to this attack. All versions of epic4, since and including
epic4pre2.003 are vulnerable and this patch should be applied.
Future versions of epic will include this patch.
Cause-for-alarm -- If you connect to a rogue server which has been carefully
crafted to send a CTCP request from an extremely large nickname,
EPIC may attempt to overwrite the stack, yielding a remote exploit
for whatever user id you are running as.
Disclaimer -- All non-trivial software has bugs, of varying degrees. EPIC
is no exception. All remote exploits are serious, but this is more
serious because there is an exploit for this bug floating around.
You should never connect to a server you do not trust.
Fix: Bumped PORTREVISION and note the new added file, patch-ctcp.c that
should go into epic4/files/
== files/patch-ctcp.c ==
/* Make sure that the final \001 doesnt get truncated */
- len = IRCD_BUFFER_SIZE - (12 + strlen(to));
+ if ((len = IRCD_BUFFER_SIZE - (12 + strlen(to))) < 0)
putbuf2 = alloca(len);
Content-Type: text/plain; name="epic4.patch"
Content-Disposition: attachment; filename="epic4.patch"
RCS file: /home/ncvs/ports/irc/epic4/Makefile,v
retrieving revision 1.45
diff -u -r1.45 Makefile
--- epic4/Makefile 23 Mar 2003 06:21:54 -0000 1.45
+++ epic4/Makefile 27 May 2003 15:00:36 -0000
@@ -8,7 +8,7 @@
# Make these variables overridable for slave ports
CATEGORIES?= irc ipv6
MASTER_SITES= http://ftp.prbh.org/pub/epic/EPIC4-PRODUCTION/ \