Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Fri, 27 Apr 2018 00:39:42 +0200
From: nongiach nongiach <nongiach@...il.com>
To: oss-security@...ts.openwall.com
Cc: Kurt Seifried <kseifried@...hat.com>, sputnick@...ssel-irc.org
Subject: CVE-XXX (quasselclient/quasselcore version 0.12.4):
 Heap Remote Code Execution and Null Pointer DDOS

 Hey,

two vulnerabilities have been fixed in quassel, an IRC connection
multiplexer,
one with a high severity and another with a low severity, they are both
publicly fixed:
- these patches apply cleanly to 0.12.4 sources
- 0.12.5 release (Tuesday 24.04) includes these patches, distros have been
notified for the embargo.

==============================================
Vuln 1:
Title: quasselcore, corruption of heap metadata caused by qdatastream
leading to preauth remote code execution.
Severity: high, by default the server port is publicly open and the address
can be requested using the /WHOIS command of IRC protocol.
Description: In Qdatastream protocol each object are prepended with 4 bytes
for the object size, this can be used to trigger allocation errors.
Source: void DataStreamPeer::processMessage(const QByteArray &msg),
datastreampeer.cpp line 62
CWE: A heap corruption of type CWE-120 exists in quassel version 0.12.4 in
the quasselcore that allows an attacker to remote code execution.
Patch: https://quassel-irc.org/pub/misc/0001-Implement-
custom-deserializer-to-add-our-own-sanity-.patch
Screen POC: https://i.imgur.com/JJ4QcNq.png
Credit: @chaign_c
Information: This vulnerability is not specific to qdatastream.

==============================================
Vuln 2:
Title: quasselcore DDOS
Severity: low, impact only a quasselcore not configured.
Description: A login attempt causes a NULL pointer dereference because when
the database is not initialized.
Source: void CoreAuthHandler::handle(const Login &msg),
coreauthhandler.cpp  line 235
CWE: A NULL Pointer Dereference of CWE-476 exists in quassel version 0.12.4
in the quasselcore that allows an attacker to denial of service.
Patch: https://quassel-irc.org/pub/misc/0002-Reject-
clients-that-attempt-to-login-before-the-core.patch
Credit: @chaign_c

==============================================

With lead dev agreement, POC will be released here
https://github.com/nongiach/CVE/ in one month from now.
A big thx to quassel team for their quick responses and reaction.

CVE number assignation is ongoing.

Thx.

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ