| Summary: | =net-irc/eggdrop-1.6.21 stack smashing attack function in <unknown> | ||
|---|---|---|---|
| Product: | Gentoo Linux | Reporter: | Olliver Schinagl <oliver> |
| Component: | Current packages | Assignee: | Louis Sautier (sbraz) <sbraz> |
| Status: | RESOLVED OBSOLETE | ||
| Severity: | normal | CC: | hardened, net-irc, proxy-maint |
| Priority: | Normal | ||
| Version: | unspecified | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Package list: | Runtime testing required: | --- | |
|
Description
Olliver Schinagl
2013-04-07 15:37:56 UTC
Please post your `emerge --info net-irc/eggdrop' output in a comment. 7of9 ~ # emerge --info net-irc/eggdrop
Portage 2.1.11.55 (hardened/linux/amd64, gcc-4.6.3, glibc-2.15-r3, 3.7.5-hardened-r1 x86_64)
=================================================================
System Settings
=================================================================
System uname: Linux-3.7.5-hardened-r1-x86_64-AMD_Athlon-tm-_II_Neo_N36L_Dual-Core_Processor-with-gentoo-2.1
KiB Mem: 8133596 total, 168776 free
KiB Swap: 8652416 total, 8536580 free
Timestamp of tree: Sat, 06 Apr 2013 09:45:01 +0000
ld GNU ld (GNU Binutils) 2.22
distcc 3.1 x86_64-pc-linux-gnu [disabled]
app-shells/bash: 4.2_p37
dev-lang/python: 2.7.3-r3, 3.1.4-r3, 3.2.3-r2
dev-util/cmake: 2.8.9
dev-util/pkgconfig: 0.28
sys-apps/baselayout: 2.1-r1
sys-apps/openrc: 0.11.8
sys-apps/sandbox: 2.5
sys-devel/autoconf: 2.69
sys-devel/automake: 1.11.6, 1.12.6
sys-devel/binutils: 2.22-r1
sys-devel/gcc: 4.5.4, 4.6.3
sys-devel/gcc-config: 1.7.3
sys-devel/libtool: 2.4-r1
sys-devel/make: 3.82-r4
sys-kernel/linux-headers: 3.7 (virtual/os-headers)
sys-libs/glibc: 2.15-r3
Repositories: gentoo sunrise
ACCEPT_KEYWORDS="amd64"
ACCEPT_LICENSE="* -@EULA"
CBUILD="x86_64-pc-linux-gnu"
CFLAGS="-Os -march=amdfam10 -pipe"
CHOST="x86_64-pc-linux-gnu"
CONFIG_PROTECT="/etc /usr/share/gnupg/qualified.txt /var/bind"
CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/fonts/fonts.conf /etc/gconf /etc/gentoo-release /etc/php/apache2-php5.3/ext-active/ /etc/php/apache2-php5.4/ext-active/ /etc/php/cgi-php5.3/ext-active/ /etc/php/cgi-php5.4/ext-active/ /etc/php/cli-php5.3/ext-active/ /etc/php/cli-php5.4/ext-active/ /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo /etc/texmf/language.dat.d /etc/texmf/language.def.d /etc/texmf/updmap.d /etc/texmf/web2c"
CXXFLAGS="-Os -march=amdfam10 -pipe"
DISTDIR="/usr/portage/distfiles"
FCFLAGS="-O2 -pipe"
FEATURES="assume-digests binpkg-logs config-protect-if-modified distlocks ebuild-locks fixlafiles merge-sync news parallel-fetch protect-owned sandbox sfperms strict unknown-features-warn unmerge-logs unmerge-orphans userfetch userpriv usersandbox xattr"
FFLAGS="-O2 -pipe"
GENTOO_MIRRORS="ftp://mirror.cambrium.nl/pub/os/linux/gentoo/ ftp://ftp.snt.utwente.nl/pub/os/linux/gentoo ftp://vlaai.snt.ipv6.utwente.nl/pub/os/linux/gentoo/ ftp://mirror.nutsmaas.nl/gentoo/"
LDFLAGS="-Wl,-O1 -Wl,--as-needed"
MAKEOPTS="-j1"
PKGDIR="/usr/portage/packages"
PORTAGE_CONFIGROOT="/"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --human-readable --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
PORTDIR_OVERLAY="/var/lib/layman/sunrise"
SYNC="rsync://rsync.nl.gentoo.org/gentoo-portage"
USE="3dnow 3dnowext 7zip a52 aac acl acpi aim amd64 amr ao aotuv apache2 apm apng ares artist-screen audiofile authdaemond auto-hinter autoipd avahi bash-completion bcmath berkdb bindist bzip2 bzlib calendar caps cdr cgi clamdtop cli colors console cracklib cross crypt cscope ctype curl custom-optimization cxx dba dbus dedicated device-mapper diskio dlz dri dts dvb dvd dvdr dynamic elf encode exif expat extensions extras fam fastcgi ffmpeg fftw flac flash foomatic foomaticdb frontend ftp fts3 gd gdbm geoip ggi gif git glitz gnutls gpm hardened icecast iconv icq icu id3 idn imagemagick imap imlib inotify intl ipv6 iscsi jabber jbig jpeg jpeg2k json justify kerberos kernel-patch kvm lame latex ldap ldap-bind led lesstif libsamplerate libssh2 libwww lm_sensors logrotate lxc lyrics lyrics-screen lzma lzo mad maildir math matroska mcal mdnsresponder-compat memlimit mhash mikmod mime mmap mmx mng modules mp3 mp4 mp4live mpeg mpeg2 msn mudflap multilib musepack ncurses netpbm new-hpcups nfs nls nocd nptl ogg oggvorbis openipmi openmp oscar pam parcheck parted pax_kernel pcap pcre pdo perl pg-intdatetime php plugins png posix postfix postgres postproc ppds proxy qemu rdesktop readline resolvconf rle sasl server session sharedmem simplexml slp smux sni snmp sockets song-screen sound spamassassin speex spell sqlite sqlite3 sse sse2 sse3 sse4 sse4a ssh ssl subversion svg sysfs szip tcl tcpd tetex theora threads tidy tiff tokenizer udev uml unicode unlock-notify unzip urandom usb utils vda vhosts videos vim vim-syntax vnc vorbis webdav x264 xinetd xml xml2 xmlreader xmlrpc xmlwriter xsl xvid yahoo yp zeroconf zip zlib" ABI_X86="64" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mmap_emul mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="actions alias auth_basic auth_digest authn_anon authn_default authn_file authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache cgid dav dav_fs dav_lock dbd deflate dir disk_cache env expires ext_filter file_cache filter headers ident imagemap include info log_config logio mem_cache mime mime_magic negotiation proxy proxy_ajp proxy_balancer proxy_connect proxy_http proxy_html rewrite setenvif so speling status unique_id userdir usertrack vhost_alias" APACHE2_MPMS="worker" CALLIGRA_FEATURES="kexi words flow plan sheets stage tables krita karbon braindump" CAMERAS="ptp2" COLLECTD_PLUGINS="df interface irq load memory rrdtool swap syslog" ELIBC="glibc" GPSD_PROTOCOLS="ashtech aivdm earthmate evermore fv18 garmin garmintxt gpsclock itrax mtk3301 nmea ntrip navcom oceanserver oldstyle oncore rtcm104v2 rtcm104v3 sirf superstar2 timing tsip tripmate tnt ubx" GRUB_PLATFORMS="coreboot efi-64 pc" INPUT_DEVICES="keyboard mouse evdev" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LIBREOFFICE_EXTENSIONS="presenter-console presenter-minimizer" LINGUAS="en nl de" OFFICE_IMPLEMENTATION="libreoffice" PHP_TARGETS="php5-3" PYTHON_SINGLE_TARGET="python2_7" PYTHON_TARGETS="python2_7 python3_2" QEMU_SOFTMMU_TARGETS="arm i386 mips x86_64" QEMU_USER_TARGETS="arm armeb i386 mips x86_64" RUBY_TARGETS="ruby18 ruby19" USERLAND="GNU" VIDEO_CARDS="dummy" XTABLES_ADDONS="quota2 psd pknock lscan length2 ipv4options ipset ipp2p iface geoip fuzzy condition tee tarpit sysrq steal rawnat logmark ipmark dhcpmac delude chaos account"
Unset: CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LANG, LC_ALL, PORTAGE_BUNZIP2_COMMAND, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS, USE_PYTHON
=================================================================
Package Settings
=================================================================
net-irc/eggdrop-1.6.19 was built with the following:
USE="(multilib) postgres ssl -debug -mysql -static -vanilla" ABI_X86="64"
I'm getting something similar when running gentoo-sources, could you test it without pax/grsecurity and see if the same thing happens? It results in a segmentation fault here.. The bug disappears here if compiled with -vanilla -ssl (no enabled useflags at all, that is). Makes sense, as it's an SSL function that triggers it :) I think I forgot to mention it, the bot net link happens over SSL I belive. I will do a test build on the bot without SSL soon. Appears to work fine without ssl, but that's not really an option. Also some change to a patch broke 1.6.19 so can't roll back anymore either. Disabeling pax works, but is also not an option. So looks like there's a stack smashing attack in the ssl stuff that gets triggered by pax. After some digging, I found out I could compile without stack-smashing protection, the result was interesting. [17:31:26] Telnet connection: remotehost.net/49706 [17:31:33] Timeout/EOF ident connection [17:31:33] Challenging botname... [17:31:34] Response (password hash) from botname incorrect [17:31:34] Bad Password: [botname]telnet@remotehost/49706 [17:31:34] * Last context: tclhash.c/721 [] [17:31:34] * Please REPORT this BUG! [17:31:34] * Check doc/BUG-REPORT on how to do so. [17:31:34] * Wrote DEBUG [17:31:34] * SEGMENT VIOLATION -- CRASHING! I don't think the password is really bad, as 1.6.19 worked just fine. I'll update the remote to 1.6.19 to see if this changes, then i'll try to compile using a vanilla gcc. Strangely, none of those options worked. stack protecting flags off, vanilla gcc, remote updated (it was updated all this time). Falling back to 18-r3 for now. Sorry for coming late to this bug. I'm going to reassign it to net-irc because the stack smashing is a problem in eggdrop's code and should be reported upstream. The hardening just exposes the problem but its there regardless. Comment #7 is particularly worrisome because you now have a remotely triggerable vulnerability. Don't run this as root! This version is really old and has been removed, please let me know if it is still relevant today. https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=758962f595fd876bef0d00e5ba392c1b925aa0c8 Author: Louis Sautier <sbraz@gentoo.org> Date: Fri Oct 26 10:32:23 2018 +0200 net-irc/eggdrop: remove ancient version Signed-off-by: Louis Sautier <sbraz@gentoo.org> Package-Manager: Portage-2.3.51, Repoman-2.3.11 |
