Access vector: network
Access complexity: low
Authentication requirement: none
Confidentiality impact: none
Integrity impact: none
Availability impact: complete
CVSSv2 temporal score: 6.4
Exploitability: functional exploit exists
Remediation level: official fix
Report confidence: confirmed
Summary:
All versions of Charybdis are vulnerable to a remotely-triggered crash bug
caused by code originating from ircd-ratbox 2.0. (Incidentally, this means all
versions since ircd-ratbox 2.0 are also vulnerable.)
The bug has to do with server capability negotiation. A malformed request will
trigger a crash due to invalid assumptions.
Mitigation:
A patch for all affected versions of ircd-ratbox and charybdis is available from
the charybdis GIT repository:
https://github.com/atheme/charybdis/commit/ac0707aa61d9c20e9b09062294701567c9f41595.patch
To apply the patch, go to your IRCd source tree and run the following commands:
$ patch -p1 < /path/to/downloaded/patchfile.patch
$ make
$ make install
Then you may hotfix the IRCd by running /MODRESTART as a server admin.
Details:
In ratbox-2, the following code was added to m_capab.c:
char *t = LOCAL_COPY(parv[i]);
The other logic was then modified to make use of that stack-allocated buffer rather
than the original. LOCAL_COPY() is a macro which expands to alloca() and strlcpy(),
and the bug effectively is caused by this expansion calling strlen(NULL).
The initial Advisory:
atheme.org Security Advisory
ASA-2012-12-31
Original release: December 31, 2012.
Last update: December 31, 2012.
Copyright (c) 2012 atheme.org and its contributors.
All rights reserved.
Distribution of this document in full, or in part is allowed,
provided that the distributed portions remain in otherwise
unmodified form and the above copyright notice and this permission
notice remain unchanged.
Topic: Charybdis: Improper assumptions in the server handshake code may lead to
a remote crash. (CAPAB module)
Versions affected: All
CVSSv2 vector: AV:N/AC:N/Au:N/C:N/I:N/A:C/E:F/RL:O/RC:C
CVSSv2 base score: 7.8
Access vector: network
Access complexity: low
Authentication requirement: none
Confidentiality impact: none
Integrity impact: none
Availability impact: complete
CVSSv2 temporal score: 6.4
Exploitability: functional exploit exists
Remediation level: official fix
Report confidence: confirmed
Summary:
All versions of Charybdis are vulnerable to a remotely-triggered crash bug
caused by code originating from ircd-ratbox 2.0. (Incidentally, this means all
versions since ircd-ratbox 2.0 are also vulnerable.)
The bug has to do with server capability negotiation. A malformed request will
trigger a crash due to invalid assumptions.
Mitigation:
UPDATE 12/31 16:21 GMT-6: Reports have been received by us of both ratbox and charybdis
users using /MODUNLOAD m_capab.so - do NOT do this, it will break server linking!
A patch for all affected versions of ircd-ratbox and charybdis is available from
the charybdis GIT repository:
https://github.com/atheme/charybdis/commit/ac0707aa61d9c20e9b09062294701567c9f41595.patch
To apply the patch, go to your IRCd source tree and run the following commands:
$ patch -p1 < /path/to/downloaded/patchfile.patch
$ make
$ make install
Then you may hotfix the IRCd by running /MODRESTART as a server admin.
Details:
In ratbox-2, the following code was added to m_capab.c:
char *t = LOCAL_COPY(parv[i]);
The other logic was then modified to make use of that stack-allocated buffer rather
than the original. LOCAL_COPY() is a macro which expands to alloca() and strlcpy(),
and the bug effectively is caused by this expansion calling strlen(NULL).
This bug was reported by "Fudge" (http://github.com/FionnK).
Contact:
For further information about this security advisory, please contact
the Charybdis developers at irc.atheme.org #charybdis.
For more information about atheme.org, please visit the following resources:
- IRC: irc.atheme.org #atheme-project
- Web: http://www.atheme.org/
//The information contained within this publication is
//supplied "as-is"with no warranties or guarantees of fitness
//of use or otherwise. Bot24, Inc nor Bradley Sean Susser accepts
//responsibility for any damage caused by the use or misuse of
//this information