SECURITY ADVISORY ================== A serious buffer overflow issue has been discovered in UnrealIRCd. This issue can cause the IRC server to crash. It is not clear if this issue can lead to remote code execution. ==[ AFFECTED VERSIONS ]== This bug can ONLY be triggered if allow::options::noident is in use. By default, this is not the case, and it's not a very common option to use. To check for this, you can search for "noident" (without quotes) in your config files (such as unrealircd.conf). If you don't use this option, you are safe, and there's no need to upgrade. If you use the noident option, and you're using Unreal3.2.8 or earlier (this issue goes back to 3.2beta11), then you are affected. ==[ PROBLEM ]== A buffer in the code which handles user authorization is copied without sufficient length checks, causing a buffer overflow. This bug happens BEFORE the user is online. In other words: even if you have a password protected server, or only allow certain ip/hosts in, and you use allow::options::noident, then this bug can still be triggered. There has been one report of this bug being abused by "bad guys" to crash the server, so if you're using allow::options::noident then it's highly recommended to either implement the WORKAROUND or FIX as soon as possible. ==[ WORKAROUND ]== The workaround is simply to remove noident from the allow::options and /REHASH. For example, if you have: allow { ip "*abc@*"; hostname "*abc@*"; class clients; maxperip 3; options { noident; }; // MARK }; Then simply remove the line marked with MARK, and /REHASH the IRCd. Naturally, if you rely on the noident feature on your network/IRCd, then this may not be an option for you. Check out the FIX in next section, instead. ==[ FIX ]== Thanks to having a (partially) modular IRC server, we have created a "hot fix" utility that will fix the issue WITHOUT requiring a server restart. All you will have to do is install it and rehash. This patch can be used on UnrealIRCd versions 3.2.3 - 3.2.8. If you are using any older version (unsupported), then we suggest you to upgrade to the latest version or implement the workaround. *NIX: Download and run the hotfix utility, available from these locations: http://www.unrealircd.com/upd/unrealpatch328 http://www.vulnscan.org/unr/unrealpatch328 EXAMPLE: cd ~/Unreal3.2 && wget http://www.unrealircd.com/upd/unrealpatch328 && \ chmod +x unrealpatch328 && ./unrealpatch328 (or use 'fetch' instead of 'wget', or any other download utility) Alternatively if that did not work, try this .tar.gz: http://www.unrealircd.com/upd/qpatch.tar.gz OR http://www.vulnscan.org/unr/qpatch.tar.gz Extract it, cd to the qpatch directory and run ./doinstall Windows: Unfortunately, we did not have the resources to make a hotfix utility for Windows, so you will have to either implement the workaround or upgrade your UnrealIRCd to 3.2.8.1: http://www.unrealircd.com/downloads/unreal/win (Windows) http://www.unrealircd.com/downloads/unreal/winssl (Windows SSL) ==[ NEW VERSION ]== While for existing installations you can use the FIX as explained above. For fresh installs, we've released a new Unreal version called 3.2.8.1, which can be downloaded from http://www.unrealircd.com/ MD5 checksums: 86212ebf6feab6cc57a4ebba99632db2 qpatch.tar.gz c855fd1fe1cb2f08095bf7cd8f2f1120 unrealpatch328 7b741e94e867c0a7370553fd01506c66 Unreal3.2.8.1.tar.gz 5a6941385cd04f19d9f4241e5c912d18 Unreal3.2.8.1.exe a54eafa6861b6219f4f28451450cdbd3 Unreal3.2.8.1-SSL.exe SHA1 checksums: 6654bccd941ea038e9bef847703b25450b739ba1 qpatch.tar.gz 766118e3cdad454dc189a8bb06cbc8ff55cdb7f7 unrealpatch328 363c3c995bb38cf601f409610ce1937a0002c419 Unreal3.2.8.1.tar.gz d2e73094149bbcc9238b111f12f30fa8f8a463cc Unreal3.2.8.1.exe 336972a8201a67be2bcbb012f66abd11d19ade46 Unreal3.2.8.1-SSL.exe ==[ TIMELINE ]== Times are UTC 2009-04-10 Bug reported 2009-04-11 Additional information requested 2009-04-12 Information provided 2009-04-12 Bug traced, working on fix 2009-04-13 Fix & binaries ready. Public announcement ==[ SOURCE ]== A copy (and any updates) of this advisory is available at: http://www.unrealircd.com/txt/unrealsecadvisory.20090413.txt