Vulnerabilities > CVE-2012-6084

047910
CVSS 5.0 - MEDIUM
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
NONE
Integrity impact
NONE
Availability impact
PARTIAL
network
low complexity
ircd-ratbox
ratbox
nessus

Summary

modules/m_capab.c in (1) ircd-ratbox before 3.0.8 and (2) Charybdis before 3.4.2 does not properly support capability negotiation during server handshakes, which allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via a malformed request. Per http://cwe.mitre.org/data/definitions/476.html 'NULL Pointer Dereference'

Vulnerable Configurations

Part Description Count
Application
Ircd-Ratbox
51
Application
Ratbox
52

Nessus

  • NASL familyMisc.
    NASL idIRCD_CHARYBDIS_CAPAB_DOS.NASL
    descriptionThe remote host is running a version of Charybdis IRCd that is affected by a denial of service (DoS) vulnerability. An issue exists in the
    last seen2020-06-01
    modified2020-06-02
    plugin id65196
    published2013-03-11
    reporterThis script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/65196
    titleCharybdis IRCd m_capab.c Denial of Service
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(65196);
      script_version("1.5");
      script_cvs_date("Date: 2019/11/27");
    
      script_cve_id("CVE-2012-6084");
      script_bugtraq_id(57085);
    
      script_name(english:"Charybdis IRCd m_capab.c Denial of Service");
      script_summary(english:"Checks the version of the remote Charybdis IRCd");
    
      script_set_attribute(attribute:"synopsis", value:
    "The remote chat server is affected by a denial of service
    vulnerability.");
      script_set_attribute(attribute:"description", value:
    "The remote host is running a version of Charybdis IRCd that is affected
    by a denial of service (DoS) vulnerability.  An issue exists in the
    'CAPAB' module in 'm_capab.c' that causes servers to improperly handle
    negotiation handshakes. 
    
    An unauthenticated, remote attacker could exploit this issue with a
    specially crafted request, impacting the availability of the service.");
      script_set_attribute(attribute:"see_also", value:"http://rabbit.dereferenced.org/~nenolod/ASA-2012-12-31.txt");
      script_set_attribute(attribute:"solution", value:
    "Upgrade to Charybdis 3.4.2 or later.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
    
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2012/12/31");
      script_set_attribute(attribute:"patch_publication_date", value:"2012/12/31");
      script_set_attribute(attribute:"plugin_publication_date", value:"2013/03/11");
    
      script_set_attribute(attribute:"potential_vulnerability", value:"true");
      script_set_attribute(attribute:"plugin_type", value:"remote");
      script_set_attribute(attribute:"cpe", value:"cpe:/a:ratbox:ircd-ratbox");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"Misc.");
    
      script_copyright(english:"This script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
    
      script_dependencies("ircd.nasl");
      script_require_keys("Settings/ParanoidReport");
      script_require_ports("Services/irc", 6667);
    
      exit(0);
    }
    
    include("audit.inc");
    include("global_settings.inc");
    include("misc_func.inc");
    
    appname = "Charybdis IRCd";
    
    port = get_service(svc:"irc", default:6667, exit_on_fail:TRUE);
    
    banner = get_kb_item_or_exit("irc/banner/"+port);
    if ("charybdis" >!< banner) audit(AUDIT_NOT_DETECT, appname, port);
    
    version = ereg_replace(string:banner, pattern:": *[^ ]+ +[0-9]+ +[a-zA-Z0-9]+ +([^ ]+) +[^ ]+ *:(.*)", replace:"\1 \2");
    pattern = "charybdis-?(([0-9\.]+-?([0-9]+)?)(|-?dev\d?|-?rc\d?)?)\(";
    match = eregmatch(pattern:pattern, string:version);
    if (isnull(match)) exit(1, "Failed to extract the version of "+appname+" listening on port "+port+".");
    full_ver = match[1];
    
    if (report_paranoia < 2) audit(AUDIT_PARANOID);
    
    fixed = '3.4.2';
    if (full_ver =~ "^([0-2]\.|3\.[0-3]\.|3\.4\.[0-1]($|[^0-9])|3\.4\.2[^0-9])")
    {
      if (report_verbosity > 0)
      {
        report =
            '\n  Version source    : ' + chomp(banner) +
            '\n  Installed version : ' + full_ver +
            '\n  Fixed version     : ' + fixed + '\n';
        security_warning(port:port,extra:report);
      }
      else security_warning(port);
      exit(0);
    }
    else audit(AUDIT_LISTEN_NOT_VULN, appname, port, full_ver);
    
  • NASL familyMisc.
    NASL idIRCD_RATBOX_CAPAB_DOS.NASL
    descriptionThe remote host is running a version of ircd-ratbox that is affected by a denial of service (DoS) vulnerability. An issue exists in the
    last seen2020-06-01
    modified2020-06-02
    plugin id65197
    published2013-03-11
    reporterThis script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/65197
    titleircd-ratbox m_capab.c Denial of Service
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(65197);
      script_version("1.5");
      script_cvs_date("Date: 2019/11/27");
    
      script_cve_id("CVE-2012-6084");
      script_bugtraq_id(57085);
    
      script_name(english:"ircd-ratbox m_capab.c Denial of Service");
      script_summary(english:"Checks the version of the remote ircd-ratbox");
    
      script_set_attribute(attribute:"synopsis", value:
    "The remote chat server is affected by a denial of service
    vulnerability.");
      script_set_attribute(attribute:"description", value:
    "The remote host is running a version of ircd-ratbox that is affected by
    a denial of service (DoS) vulnerability.  An issue exists in the 'CAPAB'
    module in 'm_capab.c' that causes servers to improperly handle
    negotiation handshakes. 
    
    An unauthenticated, remote attacker could exploit this issue with a
    specially crafted request, impacting the availability of the service.");
      script_set_attribute(attribute:"see_also", value:"http://rabbit.dereferenced.org/~nenolod/ASA-2012-12-31.txt");
      script_set_attribute(attribute:"solution", value:
    "Upgrade to ircd-ratbox 3.0.8 or later.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
    
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2012/12/31");
      script_set_attribute(attribute:"patch_publication_date", value:"2012/12/31");
      script_set_attribute(attribute:"plugin_publication_date", value:"2013/03/11");
    
      script_set_attribute(attribute:"potential_vulnerability", value:"true");
      script_set_attribute(attribute:"plugin_type", value:"remote");
      script_set_attribute(attribute:"cpe", value:"cpe:/a:ratbox:ircd-ratbox");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"Misc.");
    
      script_copyright(english:"This script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
    
      script_dependencies("ircd.nasl");
      script_require_keys("Settings/ParanoidReport");
      script_require_ports("Services/irc", 6667);
    
      exit(0);
    }
    
    include("audit.inc");
    include("global_settings.inc");
    include("misc_func.inc");
    
    appname = "ircd-ratbox";
    
    port = get_service(svc:"irc", default:6667, exit_on_fail:TRUE);
    
    banner = get_kb_item_or_exit("irc/banner/"+port);
    if ("ircd-ratbox" >!< banner) audit(AUDIT_NOT_DETECT, appname, port);
    
    version = ereg_replace(string:banner, pattern: ": *[^ ]+ +[0-9]+ +[a-zA-Z0-9]+ +([^ ]+) +[^ ]+ *:(.*)", replace: "\1 \2");
    pattern = "ircd-ratbox-?(([0-9\.]+-?([0-9]+)?)(|-?dev\d?|-?rc\d?)?)\(";
    match = eregmatch(pattern:pattern, string:version);
    if (isnull(match)) exit(1, "Failed to extract the version of "+appname+" listening on port "+port+".");
    full_ver = match[1];
    
    if (report_paranoia < 2) audit(AUDIT_PARANOID);
    
    fixed = '3.0.8';
    if (full_ver =~ "^(2\.|3\.0\.[0-7]($|[^0-9])|3\.0\.8[^0-9])")
    {
      if (report_verbosity > 0)
      {
        report =
            '\n  Version source    : ' + chomp(banner) +
            '\n  Installed version : ' + full_ver +
            '\n  Fixed version     : ' + fixed + '\n';
        security_warning(port:port,extra:report);
      }
      else security_warning(port);
      exit(0);
    }
    else audit(AUDIT_LISTEN_NOT_VULN, appname, port, full_ver);
    
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DSA-2612.NASL
    descriptionIt was discovered that a bug in the server capability negotiation code of ircd-ratbox could result in denial of service.
    last seen2020-03-17
    modified2013-01-25
    plugin id64082
    published2013-01-25
    reporterThis script is Copyright (C) 2013-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/64082
    titleDebian DSA-2612-2 : ircd-ratbox - programming error
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Debian Security Advisory DSA-2612. The text 
    # itself is copyright (C) Software in the Public Interest, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(64082);
      script_version("1.9");
      script_set_attribute(attribute:"plugin_modification_date", value:"2020/03/12");
    
      script_cve_id("CVE-2012-6084");
      script_bugtraq_id(57085);
      script_xref(name:"DSA", value:"2612");
    
      script_name(english:"Debian DSA-2612-2 : ircd-ratbox - programming error");
      script_summary(english:"Checks dpkg output for the updated package");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Debian host is missing a security-related update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "It was discovered that a bug in the server capability negotiation code
    of ircd-ratbox could result in denial of service."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://packages.debian.org/source/squeeze/ircd-ratbox"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.debian.org/security/2013/dsa-2612"
      );
      script_set_attribute(
        attribute:"solution", 
        value:
    "Upgrade the ircd-ratbox packages.
    
    For the stable distribution (squeeze), this problem has been fixed in
    version 3.0.6.dfsg-2+squeeze1."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"false");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:ircd-ratbox");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:6.0");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2013/02/10");
      script_set_attribute(attribute:"plugin_publication_date", value:"2013/01/25");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2013-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Debian Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("debian_package.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian");
    if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    flag = 0;
    if (deb_check(release:"6.0", prefix:"ircd-ratbox", reference:"3.0.6.dfsg-2+squeeze1")) flag++;
    if (deb_check(release:"6.0", prefix:"ircd-ratbox-dbg", reference:"3.0.6.dfsg-2+squeeze1")) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_warning(port:0, extra:deb_report_get());
      else security_warning(0);
      exit(0);
    }
    else audit(AUDIT_HOST_NOT, "affected");
    
  • NASL familyGentoo Local Security Checks
    NASL idGENTOO_GLSA-201405-21.NASL
    descriptionThe remote host is affected by the vulnerability described in GLSA-201405-21 (Charybdis, ShadowIRCd: Denial of Service) A vulnerability has been discovered in Charybdis and ShadowIRCd. Please review the CVE identifier referenced below for details. Impact : A remote attacker may be able to cause a Denial of Service condition. Workaround : There is no known workaround at this time.
    last seen2020-06-01
    modified2020-06-02
    plugin id74063
    published2014-05-19
    reporterThis script is Copyright (C) 2014-2018 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/74063
    titleGLSA-201405-21 : Charybdis, ShadowIRCd: Denial of Service
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from Gentoo Linux Security Advisory GLSA 201405-21.
    #
    # The advisory text is Copyright (C) 2001-2015 Gentoo Foundation, Inc.
    # and licensed under the Creative Commons - Attribution / Share Alike 
    # license. See http://creativecommons.org/licenses/by-sa/3.0/
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(74063);
      script_version("1.4");
      script_cvs_date("Date: 2018/12/05 20:31:22");
    
      script_cve_id("CVE-2012-6084");
      script_bugtraq_id(57085);
      script_xref(name:"GLSA", value:"201405-21");
    
      script_name(english:"GLSA-201405-21 : Charybdis, ShadowIRCd: Denial of Service");
      script_summary(english:"Checks for updated package(s) in /var/db/pkg");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:
    "The remote Gentoo host is missing one or more security-related
    patches."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "The remote host is affected by the vulnerability described in GLSA-201405-21
    (Charybdis, ShadowIRCd: Denial of Service)
    
        A vulnerability has been discovered in Charybdis and ShadowIRCd. Please
          review the CVE identifier referenced below for details.
      
    Impact :
    
        A remote attacker may be able to cause a Denial of Service condition.
      
    Workaround :
    
        There is no known workaround at this time."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security.gentoo.org/glsa/201405-21"
      );
      script_set_attribute(
        attribute:"solution", 
        value:
    "All Charybdis users should upgrade to the latest version:
          # emerge --sync
          # emerge --ask --oneshot --verbose '>=net-irc/charybdis-3.4.2'
        All ShadowIRCd users should upgrade to the latest version:
          # emerge --sync
          # emerge --ask --oneshot --verbose '>=net-irc/shadowircd-6.3.3'"
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"false");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:gentoo:linux:charybdis");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:gentoo:linux:shadowircd");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:gentoo:linux");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2014/05/18");
      script_set_attribute(attribute:"plugin_publication_date", value:"2014/05/19");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2014-2018 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Gentoo Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/Gentoo/release", "Host/Gentoo/qpkg-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("qpkg.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/Gentoo/release")) audit(AUDIT_OS_NOT, "Gentoo");
    if (!get_kb_item("Host/Gentoo/qpkg-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    flag = 0;
    
    if (qpkg_check(package:"net-irc/shadowircd", unaffected:make_list("ge 6.3.3"), vulnerable:make_list("lt 6.3.3"))) flag++;
    if (qpkg_check(package:"net-irc/charybdis", unaffected:make_list("ge 3.4.2"), vulnerable:make_list("lt 3.4.2"))) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_warning(port:0, extra:qpkg_report_get());
      else security_warning(0);
      exit(0);
    }
    else
    {
      tested = qpkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "Charybdis / ShadowIRCd");
    }
    
  • NASL familyMisc.
    NASL idIRCD_SHADOWIRCD_CAPAB_DOS.NASL
    descriptionThe remote host is running a version of ShadowIRCd that is affected by a denial of service (DoS) vulnerability. An issue exists in the
    last seen2020-06-01
    modified2020-06-02
    plugin id65198
    published2013-03-11
    reporterThis script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/65198
    titleShadowIRCd m_capab.c Denial of Service

Packetstorm

data sourcehttps://packetstormsecurity.com/files/download/119238/rb_capab.py.txt
idPACKETSTORM:119238
last seen2016-12-05
published2013-01-04
reporterAph3x
sourcehttps://packetstormsecurity.com/files/119238/Ratbox-IRCd-Denial-Of-Service.html
titleRatbox IRCd Denial Of Service