Security Advisory 07-007 – Denial of Service due to a heap smash while parsing CTCP requests
Vulnerability discovery and development:
Portcullis Security Testing Services
Credit for Discovery:
Nico Leidecker of Portcullis Computer Security Ltd discovered this vulnerability. Further research was then carried out.
Version 0.3.151 was tested to be vulnerable.
HydraIRC supports CTCP requests. Before showing CTCP request messages on the screen, HydraIRC parses the user input and replaces every percentage character with two of them. It fails to check the length of the resulting string and thereby is prone to a buffer overflow attack.
Since there are more than 506 bytes needed to overwrite important data on the stack and according to the RFC, the full request sent cannot be more than 512 bytes, it is unlikely to find a public server that would be abused for that attack. Nevertheless, an attacker can still crash the victim’s client, if the victim connects to a modified server or a server not compliant to the RFC.
Proof of concept exploit code is available.
The vendor has been informed and the vulnerability has been fixed.
Copyright © Portcullis Computer Security Limited 2007, All rights reserved worldwide.
Permission is hereby granted for the electronic redistribution of this information. It is not to be edited or altered in any way without the express written consent of Portcullis Computer Security Limited.
The information herein contained may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user’s risk. In no event shall the author/distributor (Portcullis Computer Security Limited) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.