Vulnerabilities > CVE-2003-0478 - Denial-Of-Service vulnerability in Ircd

047910
CVSS 10.0 - CRITICAL
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
COMPLETE
Integrity impact
COMPLETE
Availability impact
COMPLETE
network
low complexity
andromede
daniel-moss
hans-westerhof
wenet
bahamut
critical
nessus
exploit available

Summary

Format string vulnerability in (1) Bahamut IRCd 1.4.35 and earlier, and other IRC daemons based on Bahamut including (2) digatech 1.2.1, (3) methane 0.1.1, (4) AndromedeIRCd 1.2.3-Release, and (5) ircd-RU, when running in debug mode, allows remote attackers to cause a denial of service and possibly execute arbitrary code via a request containing format strings.

Vulnerable Configurations

Part Description Count
Application
Andromede
1
Application
Daniel_Moss
1
Application
Hans_Westerhof
1
Application
Wenet
1
OS
Bahamut
1

Exploit-Db

descriptionmethane IRCd 0.1.1 Remote Format String Vulnerability. CVE-2003-0478 . Dos exploit for linux platform
idEDB-ID:22839
last seen2016-02-02
modified2003-06-27
published2003-06-27
reporterDinos
sourcehttps://www.exploit-db.com/download/22839/
titlemethane IRCd 0.1.1 - Remote Format String Vulnerability

Nessus

NASL familyGain a shell remotely
NASL idIRCD_FORMAT_STRING.NASL
descriptionThe remote host is running a version of ircd that could be vulnerable to a format string attack. An attacker could exploit this flaw to execute arbitrary code on this host, or simply to disable this service remotely.
last seen2020-06-01
modified2020-06-02
plugin id11783
published2003-06-27
reporterThis script is Copyright (C) 2003-2018 Tenable Network Security, Inc.
sourcehttps://www.tenable.com/plugins/nessus/11783
titleMultiple Vendor IRC Daemon Debug Format String
code
#
# (C) Tenable Network Security, Inc.
#


include("compat.inc");

if(description)
{
 script_id(11783);
 script_version ("1.15");

 script_cve_id("CVE-2003-0478");
 script_bugtraq_id(8038);
 
 script_name(english:"Multiple Vendor IRC Daemon Debug Format String");
 
 script_set_attribute(attribute:"synopsis", value:
"The remote chat server is affected by a remote command execution
vulnerability." );
 script_set_attribute(attribute:"description", value:
"The remote host is running a version of ircd that could be vulnerable
to a format string attack.

An attacker could exploit this flaw to execute arbitrary code on this
host, or simply to disable this service remotely." );
 script_set_attribute(attribute:"see_also", value:"https://marc.info/?l=bugtraq&m=105665996104723&w=2" );
 script_set_attribute(attribute:"see_also", value:"https://marc.info/?l=bugtraq&m=105673555726823&w=2" );
 script_set_attribute(attribute:"see_also", value:"https://marc.info/?l=bugtraq&m=105673489525906&w=2" );
 script_set_attribute(attribute:"solution", value:
"Upgrade to one of the following IRC daemon :
andromede.net AndromedeIRCd 1.2.4
DALnet Bahamut IRCd 1.4.36
digatech digatech IRCd 1.2.2
methane methane IRCd 0.1.2" );
 script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
 script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
 script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
 script_set_attribute(attribute:"exploit_available", value:"true");

 script_set_attribute(attribute:"plugin_publication_date", value: "2003/06/27");
 script_set_attribute(attribute:"vuln_publication_date", value: "2003/06/26");
 script_cvs_date("Date: 2018/11/15 20:50:22");
script_set_attribute(attribute:"plugin_type", value:"remote");
script_end_attributes();

 script_summary(english:"checks the version of the remote ircd");
 script_category(ACT_GATHER_INFO);
 script_copyright(english:"This script is Copyright (C) 2003-2018 Tenable Network Security, Inc.");
 script_family(english:"Gain a shell remotely");
 script_dependencie("find_service1.nasl", "find_service2.nasl", "ircd.nasl");
 script_require_ports("Services/irc", 6667);
 exit(0);
}

#

port = get_kb_item("Services/irc");
if (!port) port = 6667;
if(! get_port_state(port)) exit(0);

key = string("irc/banner/", port);
banner = get_kb_item(key);
if(!banner)exit(0);

if(egrep(pattern:".* bahamut-(0\.|1\.[0-3][^0-9]|1\.4.([0-9][^0-9]|[0-2][0-9]|3[0-5]))", string:banner))
{
 security_hole(port);
 exit(0);
}

# : AndromedeIRCd-1.3(00). 

if(egrep(pattern:".*AndromedeIRCd-(0\.|1\.[0-2][^0-9])", string:banner))
{
 security_hole(port);
 exit(0);
}

# digatech(sunrise)-1.2(03)

if(egrep(pattern:".*digatech[^0-9]*-(0\.|1\.[01][^0-9]|1\.2.(0[0-2]))", string:banner))
{ 
 security_hole(port);
 exit(0);
}

# ????
if(egrep(pattern:".*methane.*0\.(0.*|(1\.[0-2]))[^0-9]", string:banner, icase:TRUE))
{
 security_hole(port);
 exit(0);
}

#