Tried, Tested and Proven

Vulnerability Title:

Security Advisory 06-063 – Multiple Buffer Overflows Vulnerabilities In Centericq

Vulnerable System:

Centericq

Vulnerability Discovery And Development:

Portcullis Security Testing Services.

Credit For Discovery:

Nico Leidecker of Portcullis Computer Security Ltd.

Affected Systems:

Version 4.21 on FreeBSD and the official sources were tested as vulnerable.
Previous versions and those versions running on various Linux distributions may be affected.

Details:

Centericq provides modules to several messaging and chat protocols. The modules for Yahoo, LiveJournal, Jabber and IRC are vulnerable to multiple buffer overflows mainly, when the user receives a notification message for certain events. The following list identifies the events which have to be undertaken in order to result in a possible buffer overflow.

IRC Hook

- a user in the victims contact list changes his nickname. The sum of the length of his old and his new nickname has to be greater than 100.

- a user joins or leaves a channel and the length of nickname and real name are greater than 512.

- the victim obtains the IRC client information from another user. The information length must be greater than 512 bytes.

- in the event message, when a user gets kicked from a channel and the length of his username and the name of the op user are greater than 512.

- a third user or the victim gets opped or deopped by an op whereas length of username and op name are greater than 512.

Untested buffer overflows in the following modules:

Jabber Hook

- the victim obtains the Jabber client information from another user. The information length must be greater than 512 bytes.

LiveJournal Hook

- in the notification message, when the attacker adds or removes the victim to or from his friend list.

Yahoo Hook

- in the notification message, when a user invites the victim to a conference.

- if the attacker declines a conference invitation

- a user joins or leaves a conference

- a user gets informed, when he received a new email. When the total length of sender and subject are greater than 1024 a buffer overflow follows.

As an example:

One of the modules is an Internet Relay Chat (IRC) module. The centericq user is notified for every change of nickname for any user in his contact list and logs it to a file. However, only 100 bytes are allocated for the log message which includes both the old and new username. Furthermore, centericq fails to check the sizes of the usernames and therefore suffers from a buffer overflow if the sum of the length of old and new username is greater than 40 (format string covers the remaining 60 bytes). In order to get into the victims contact list, the attacker simply sends a message to the user. He has not joined any channel by doing that. In the next step, the attacker changes his nickname to another name that may include arbitrary code to execute within the context of the running of centericq. Official IRC Servers may not support usernames that are 20 bytes or longer. Although, the attacker could lead the victim to a server controlled by him to exploit these vulnerabilities.

Impact:

The attacker could cause a Denial of Service or execute arbitrary code with the users privileges.

Exploit:

The proof of concept exploit code is available.

Vendor Status:

Contacted k@thekonst.net
16/01/2007 – Vendor informed
14/02/2007 – Vendor informed
15/03/2007 – Vendor informed

Copyright:

Copyright © Portcullis Computer Security Limited 2006, All rights reserved worldwide.
Permission is hereby granted for the electronic redistribution of this information.
It is not to be edited or altered in any way without the express written consent of Portcullis Computer Security Limited.

Disclaimer:

The information herein contained may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user’s risk. In no event shall the author/distributor (Portcullis Computer Security Limited) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.