Description Lisa Seelye (RETIRED) 2005-01-18 08:41:59 UTC

SECURITY ADVISORY
==================

A serious Denial-of-Service issue has been discovered in UnrealIRCd.

==[ AFFECTED VERSIONS ]==
Affected:
- Unreal3.2: beta18, beta19, RC-1, RC-2, 3.2, 3.2.1, 3.2.2

Unaffected:
- versions older than beta18 (OLD, UNSUPPORTED)
- 3.1* (VERY OLD, UNSUPPORTED)
- If you have NO servers and NO services linked and you
  are using a vulnerable version then this problem does
  not occur (this is however an uncommon configuration)

Fixed in/by:
- Hot-patched 3.2* servers (see FIX)
- The newly released 3.2.2b (for fresh installs)
- CVS from January 15 03:00 GMT and later

==[ PROBLEM ]==
There's a severe crashbug present in UnrealIRCd that can quite
easily be triggered by users. No code execution or anything
like that is possible (it's a NULL pointer dereference),
but it does cause a crash, which is of course serious enough.

Server admins should apply the fix (which does not require a
server restart) as soon as possible before an exploit will
become widespread (within 24h is recommended).

During the time of writing (Jan15 19:00 GMT) there are no signs
of "bad users" causing crashes, but we expect that this will
happen after public announcement of this bug.

==[ WORKAROUND ]==
There's no safe workaround, but see next for an easy fix.

==[ FIX ]==
Thanks to modulized commands we have created a "hot patch" utility
that will fix the issue WITHOUT requiring a server restart, all
you will have to do is install it and rehash.
This patch can be used on Unreal3.2-RC2, 3.2, 3.2.1 and 3.2.2.
Older version (eg: beta's) are not supported, in that case we
suggest you to upgrade to 3.2 (and apply this patch) or 3.2.2b.

*NIX:
 Download and run the hotpatch utility, available URLs:
 http://www.vulnscan.org/tmp/unrealpatch322
 http://www.unrealircd.com/unrealpatch322
 http://unreal.atlanti-ka.org/unrealpatch322

 EXAMPLE:
 cd ~/Unreal3.2 && wget http://www.unrealircd.com/unrealpatch322 && \
 chmod +x unrealpatch322 && ./unrealpatch322
 (or 'fetch' instead of 'wget', or any other download utility)

 Alternatively if that did not work, try this .tar.gz:
 http://www.vulnscan.org/tmp/qpatch.tar.gz OR
 http://www.unrealircd.com/qpatch.tar.gz OR
 http://unreal.atlanti-ka.org/qpatch.tar.gz
 
 Extract it, cd to the directory and run ./doinstall

Windows:
 Download and run the win32 hotpatch utility, available URLs:
 http://www.vulnscan.org/tmp/322_hotpatch.exe
 http://unreal.atlanti-ka.org/322_hotpatch.exe
 http://unrealircd.funny-chat.net/322_hotpatch.exe
 
 (this hotpatch is for 3.2.2 only, if using an older version then
  upgrade to 3.2.2 first).

Additionally, we have replaced the 3.2.2 downloads on our site with
"3.2.2b" which is 3.2.2 + this patch (useful in case the hot patch
utility did somehow not work, or for any new installs):
See http://www.unrealircd.com/?page=downloads

This issue has also been fixed in CVS, both in 'stable' and
'unreal3_2_2fixes' since January 15 2005 03:00 GMT.

MD5 checksums:
2157afe65f97358645aac0b3f957bd57  unrealpatch322
8b842d83d037eca9cedcf49a6306b129  qpatch.tar.gz
d6a90889ce937d77e6e63787d7b31b51  Unreal3.2.2b.tar.gz
90ec48229484b16b94381471c39c07aa  Unreal3.2.2b.exe
de445797833c281f87cdec193f098b0a  Unreal3.2.2b-SSL.exe

SHA1 checksums:
31790d50dfa207a223c76f6c1119a8d48294c796  unrealpatch322
20879d90e328671f1853e78d6e4a6fb2557bf686  qpatch.tar.gz
c3f8258202c32ca09085975b6a042e6296c2d4b7  Unreal3.2.2b-SSL.exe
55019a076def37509fdb7e5382a62662f18dda30  Unreal3.2.2b.exe
749dfb38f514d1341b6ad8199ce0176f7709faf1  Unreal3.2.2b.tar.gz

==[ TIMELINE ]==
Times are GMT+1
13-01-2005  Bug reported, traced and *NIX hotpatch ready 
14-01-2005  Bug fixed in CVS, Win hotpatch ready,
            private announcement to some networks
15-01-2005  CERT-IRC announcement
15-01-2005  Downloads replaced, public announcement

==[ SOURCE ]==
A copy (and any updates) of this advisory is posted on:
http://www.unrealircd.com/unreal3_2_2b_advisory.txt