LSS Security Advisory #LSS-2004-11-3
             https://security.lss.hr


---

Title       :  BNC 2.8.9 remote buffer overflow
Advisory ID     :  LSS-2004-11-3
Date       :  November 10th, 2004 
Advisory URL:     :  https://security.lss.hr/en/index.php?page=details&ID=LSS-2004-11-03 
Impact       :  Remote code execution or DoS attack
Risk level     :  High 
Vulnerability type :  Remote
Vendors contacted  :  www.gotbnc.com, November 7th, 2004 

---




===[ Overview 

BNC is an IRC (Internet Relay Chat) proxying server under the GPL. It 
allows users to connect to chat servers by bouncing off the computer which
is running BNC. Basically, it forwards the information from the user to the
server and vise versa. 



===[ Vulnerability

There is a buffer overflow vulnerability in getnickuserhost() function that
is called when BNC is processing response from some IRC server. When BNC is
connected to some IRC server, it will send 'USER' and 'NICK' command. Server
response is at some point processed with getnickuserhost() function. 

Vulnerable code:
----------------
int getnickuserhost(char **argv,char *buf,char *fix)
{
        int p,c;
        c=0;
        argv[0]=buf;

        for(p=0;buf[p];p++)
        {
                if(buf[p] == '!')
                {
                        buf[p]='\0';
                        fix[c++]='!';
                        argv[1]=&buf[p+1];
                }
                if(buf[p] == '@')
                {
                        buf[p]='\0';
                        fix[c++]='@';
                        argv[2]=&buf[p+1];
                }       
        }               
        return c;
}               
----------------

'buf' points to 512+1 bytes static buffer (in BSS segment) that contains
server response, and 'fix' points to 3 byte stack buffer. If there is '!' 
or '@' character in server response (buf), it will be written to 'fix'. 
Number of '!' and '@' characters that can be written to 'fix' isn't
limited, so it is possible to overflow it. 
Function getnickuserhost() is called from functions srv_nick() and 
ismenuh(), and ismenuh() is called from srv_part() and process_join(), so
there are few possible exploitation paths.

srv_nick() example:
----------------
int srv_nick(struct cliententry *cptr, char *prefix, int pargc, char 
**pargv)
{
        int p,repc,c,f;
        char repv[3];
        char *nuh[3];
  ...
  c=strlen(prefix);

        repc = getnickuserhost(nuh, prefix, repv);
  ...
        for(p=0;p<c;p++)
        {
                if( prefix[p] == '\0' )
                {
                        if(repc > 0)
                        {
                                prefix[p]=repv[f++];
                                repc--;
                        }
                }
        }
  ...
----------------

Since stack can be overflowed just with '!' and '@' characters, it isn't
easy to exploit this vulnerability. It could be exploited with off-by-one
or off-by-two frame overflow, but some partial EIP overflow could also 
prove to be useful. It is also possible to overflow 'c' counter that could
have some impact later in 'for' loop. 



===[ Affected versions

Vulnerability has been discovered and tested on latest BNC 2.8.9, but older
versions are affected too. Vulnerability can be exploited if attacker 
tricks user to connect to his fake IRC server that will exploit this
vulnerability. If the attacker has access to BNC proxy server, this 
vulnerability can be used to gain shell access on machine where BNC proxy 
server is set.



===[ Fix

Vendor has released a patched version - bnc-2.9.0.

The source of the patched version can be downloaded from: 
https://www.gotbnc.com/files/bnc2.9.0.tar.gz



===[ PoC Exploit

Proof of concept code can be downloaded from https://security.lss.hr/en/PoC/

BNC status after PoC overflow:
----------------------
[root@laptop bnc2.8.9]# gdb ./bnc 11313
...
Program received signal SIGSEGV, Segmentation fault.
0x21212121 in ?? ()
...
eax            0x1  1
ecx            0x30  48
edx            0x30  48
ebx            0x21212121  555819297
esp            0xbffff790  0xbffff790
ebp            0x21212121  0x21212121
esi            0x21212121  555819297
edi            0x21212121  555819297
eip            0x21212121  0x21212121
eflags         0x210246  2163270
...
----------------------
After PoC overflow, BNC daemon dies, and all users will be disconnected,
so this vulnerability can also be used as an DoS (Denial of Service) 
attack.



===[ Credits

Credits for this vulnerability goes to Leon Juranic. 



===[ LSS Security Contact
 
 LSS Security Team, <eXposed by LSS>
 
 WWW    : https://security.lss.hr
 E-mail : security@LSS.hr
 Tel  : +385 1 6129 775