Date: Fri, 27 Apr 2018 00:39:42 +0200 From: nongiach nongiach <nongiach@...il.com> To: oss-security@...ts.openwall.com Cc: Kurt Seifried <kseifried@...hat.com>, sputnick@...ssel-irc.org Subject: CVE-XXX (quasselclient/quasselcore version 0.12.4): Heap Remote Code Execution and Null Pointer DDOS Hey, two vulnerabilities have been fixed in quassel, an IRC connection multiplexer, one with a high severity and another with a low severity, they are both publicly fixed: - these patches apply cleanly to 0.12.4 sources - 0.12.5 release (Tuesday 24.04) includes these patches, distros have been notified for the embargo. ============================================== Vuln 1: Title: quasselcore, corruption of heap metadata caused by qdatastream leading to preauth remote code execution. Severity: high, by default the server port is publicly open and the address can be requested using the /WHOIS command of IRC protocol. Description: In Qdatastream protocol each object are prepended with 4 bytes for the object size, this can be used to trigger allocation errors. Source: void DataStreamPeer::processMessage(const QByteArray &msg), datastreampeer.cpp line 62 CWE: A heap corruption of type CWE-120 exists in quassel version 0.12.4 in the quasselcore that allows an attacker to remote code execution. Patch: https://quassel-irc.org/pub/misc/0001-Implement- custom-deserializer-to-add-our-own-sanity-.patch Screen POC: https://i.imgur.com/JJ4QcNq.png Credit: @chaign_c Information: This vulnerability is not specific to qdatastream. ============================================== Vuln 2: Title: quasselcore DDOS Severity: low, impact only a quasselcore not configured. Description: A login attempt causes a NULL pointer dereference because when the database is not initialized. Source: void CoreAuthHandler::handle(const Login &msg), coreauthhandler.cpp line 235 CWE: A NULL Pointer Dereference of CWE-476 exists in quassel version 0.12.4 in the quasselcore that allows an attacker to denial of service. Patch: https://quassel-irc.org/pub/misc/0002-Reject- clients-that-attempt-to-login-before-the-core.patch Credit: @chaign_c ============================================== With lead dev agreement, POC will be released here https://github.com/nongiach/CVE/ in one month from now. A big thx to quassel team for their quick responses and reaction. CVE number assignation is ongoing. Thx.
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ