< back to advisories
Centericq Multiple Buffer Overflows
Portcullis Security Advisory 06-063
Vulnerable System:
centericq
Vulnerability Title:
Centericq is vulnerable to multiple buffer overflows.
Vulnerability Discovery And Development:
Portcullis Security Testing Services discovered this vulnerability.
Further research was then carried out..
Credit for Discovery:
Nico Leidecker - Portcullis Computer Security Ltd.
Affected systems:
Version 4.21 on FreeBSD and the official sources were tested as vulnerable.
Previous versions and those versions running on various Linux distributions may be
affected.
Details:
Centericq provides modules to several messaging and chat protocols. The
modules for Yahoo, LiveJournal, Jabber and IRC are vulnerable to multiple
buffer overflows mainly, when the user receives a notification message for
certain events. The following list identifies the events which have to be
undertaken in order to result in a possible buffer overflow.
IRC Hook
- a user in the victims contact list changes his nickname. The sum of the
length of his old and his new nickname has to be greater than 100.
- a user joins or leaves a channel and the length of nickname and real
name are greater than 512.
- the victim obtains the IRC client information from another user. The
information length must be greater than 512 bytes.
- in the event message, when a user gets kicked from a channel and the
length of his username and the name of the op user are greater than 512.
- a third user or the victim gets opped or deopped by an op whereas length
of username and op name are greater than 512.
Untested buffer overflows in the following modules:
Jabber Hook
- the victim obtains the Jabber client information from another user. The
information length must be greater than 512 bytes.
LiveJournal Hook
- in the notification message, when the attacker adds or removes the victim
to or from his friend list.
Yahoo Hook
- in the notification message, when a user invites the victim to a
conference.
- if the attacker declines a conference invitation
- a user joins or leaves a conference
- a user gets informed, when he received a new email.
when the total length of sender and subject are greater than 1024 a
buffer overflow follows.
As an example:
One of the modules is an Internet Relay Chat (IRC) module. The centericq user
is notified for every change of nickname for any user in his contact list and
logs it to a file. However, only 100 bytes are allocated for the log message
which includes both the old and new username. Furthermore, centericq fails to
check the sizes of the usernames and therefore suffers from a buffer overflow
if the sum of the length of old and new username is greater than 40 (format
string covers the remaining 60 bytes). In order to get into the victims contact
list, the attacker simply sends a message to the user. He has not joined any
channel by doing that. In the next step, the attacker changes his nickname to
another name that may include arbitrary code to execute within the context of
the running of centericq. Official IRC Servers may not support usernames that
are 20 bytes or longer. Although, the attacker could lead the victim to a server
controlled by him to exploit these vulnerabilities.
Impact:
The attacker could cause a Denial of Service or execute arbitrary code with
the users privileges.
Exploit:
The proof of concept exploit code is available.
Vendor Status:
Contacted k@thekonst.net
e-mailed - 16th January 2007
e-mailed - 14th February 2007
e-mailed - 15th March 2007
Copyright:
Copyright © Portcullis Computer Security Limited 2005, All rights reserved
worldwide.
Permission is hereby granted for the electronic redistribution of this
information. It is not to be edited or altered in any way without the express
written consent of Portcullis Computer Security Limited.
Disclaimer:
The information herein contained may change without notice. Use of this
information constitutes acceptance for use in an AS IS condition. There are NO
warranties, implied or otherwise, with regard to this information or its use.
Any use of this information is at the user's risk. In no event shall the
author/distributor (Portcullis Computer Security Limited) be held liable for
any damages whatsoever arising out of or in connection with the use or spread
of this information.