Remote crash exploit

[irssibot]

• • • Issue #785 opened by @Phantasm

My Irssi (0.8.15 (20100403 1617)) crashed twice within 24 hours without any crashes for months before. At both cases the last lines on status log contained strange characters from same person, so it is quite certain those were the reason for the crashes. Backtrace of second crash is attached (didn't save one from first crash, but it did give one). It looks like buffer overflow, so it might be able to be used for remote code execution. Given that fish encryption module is in use, the bug might be directly or indirectly caused by it as well.

These messages are plaintext already decrypted from fish-encryption (FiSH v1.00 RC4 - encryption module for Irssi. URL: http://fish.secure.la/) Last lines of status log for second crash (backtrace attached) 20:51:34 #censored: < censored> > ¾Êrwr 20:51:38 #censored: < censored> > ev���'�Q�x�6 20:51:43 #censored: < censored> > ÝXxèѱ¦õò¤çPO¸3?Î^îµËì Log of the case from other person. [19:51:00] ¾Êrwr [19:51:04] evڐÒ'ˆQÒxãƒ6 [19:51:08] ÝXxèѱ¦õò¤çPO¸3?Î^îµËì [19:51:10] * Quits: Phantasm (ghost@hidden-9DD8199F.fi) (Input/output error)

Last lines of status log for first crash. 03:24:11 #censored: < censored> > F^XÜÁ^WO 03:24:14 #censored: < censored> > <8F><9E>^K

03:25:56 #censored: < censored> > <<þüvèsž Log of the case from other person. [02:23:42] FÜÁO [02:23:45] ¦æžÝ [02:25:28] <<þüvèsž [02:25:29] * Quits: Phantasm (ghost@hidden-9DD8199F.fi) (Input/output error)

[irssibot]

• • • Attachment 241 by @Phantasm

backtrace.txt

[(status)] *** glibc detected *** irssi: free(): invalid next size (fast): 0x086a8638 ***
======= Backtrace: =========
/lib/i686/nosegneg/libc.so.6[0xb7a2f2a4]
/lib/i686/nosegneg/libc.so.6(cfree+0x96)[0xb7a31506]
/usr/lib/libglib-2.0.so.0(g_free+0x36)[0xb7d2b446]
irssi[0x807928a]
irssi[0x80e177d]
irssi(signal_emit+0x4c)[0x80e1d4c]
irssi[0x80a7347]
irssi[0x80e177d]
irssi(signal_emit_id+0x40)[0x80e1ca0]
irssi[0x80a6f53]
irssi[0x80e177d]
irssi(signal_emit_id+0x40)[0x80e1ca0]
irssi[0x80a71ee]
irssi[0x80d323e]
/usr/lib/libglib-2.0.so.0[0xb7d5967d]
/usr/lib/libglib-2.0.so.0(g_main_context_dispatch+0x1e8)[0xb7d231d8]
/usr/lib/libglib-2.0.so.0[0xb7d26873]
/usr/lib/libglib-2.0.so.0(g_main_context_iteration+0x71)[0xb7d26a31]
irssi(main+0x22c)[0x8071eec]
/lib/i686/nosegneg/libc.so.6(__libc_start_main+0xe5)[0xb79d6455]
irssi[0x805c401]
======= Memory map: ========
08048000-08107000 r-xp 00000000 08:02 5008743    /usr/bin/irssi
08107000-08110000 rw-p 000bf000 08:02 5008743    /usr/bin/irssi
08110000-08704000 rw-p 08110000 00:00 0          [heap]
b7500000-b7521000 rw-p b7500000 00:00 0
b7521000-b7600000 ---p b7521000 00:00 0
b768a000-b7696000 r-xp 00000000 08:02 1245248    /lib/libgcc_s.so.1
b7696000-b7697000 rw-p 0000b000 08:02 1245248    /lib/libgcc_s.so.1
b769f000-b76a7000 r-xp 00000000 08:02 5030042    /usr/lib/perl/5.10.0/auto/Data/Dumper/Dumper.so
b76a7000-b76a8000 rw-p 00007000 08:02 5030042    /usr/lib/perl/5.10.0/auto/Data/Dumper/Dumper.so
b76a8000-b76b4000 r-xp 00000000 08:02 5032028    /usr/lib/perl5/auto/Irssi/TextUI/TextUI.so
b76b4000-b76b5000 rw-p 0000c000 08:02 5032028    /usr/lib/perl5/auto/Irssi/TextUI/TextUI.so
b76b5000-b76ca000 r-xp 00000000 08:02 5032026    /usr/lib/perl5/auto/Irssi/Irc/Irc.so
b76ca000-b76cb000 rw-p 00014000 08:02 5032026    /usr/lib/perl5/auto/Irssi/Irc/Irc.so
b76cb000-b76df000 r-xp 00000000 08:02 5032022    /usr/lib/perl5/auto/Irssi/UI/UI.so
b76df000-b76e0000 rw-p 00013000 08:02 5032022    /usr/lib/perl5/auto/Irssi/UI/UI.so
b76e0000-b770b000 r-xp 00000000 08:02 5032024    /usr/lib/perl5/auto/Irssi/Irssi.so
b770b000-b770c000 rw-p 0002b000 08:02 5032024    /usr/lib/perl5/auto/Irssi/Irssi.so
b770c000-b7728000 r-xp 00000000 08:02 5031737    /usr/lib/irssi/modules/libfish.so
b7728000-b7729000 rw-p 0001b000 08:02 5031737    /usr/lib/irssi/modules/libfish.so
b7729000-b772a000 rw-p b7729000 00:00 0
b772a000-b772c000 r-xp 00000000 08:02 5007680    /usr/lib/gconv/CP1252.so
b772c000-b772e000 rw-p 00001000 08:02 5007680    /usr/lib/gconv/CP1252.so
b772e000-b773e000 r-xp 00000000 08:02 1245501    /lib/i686/nosegneg/libresolv-2.7.so
b773e000-b7740000 rw-p 0000f000 08:02 1245501    /lib/i686/nosegneg/libresolv-2.7.so
b7740000-b7742000 rw-p b7740000 00:00 0
b7742000-b7746000 r-xp 00000000 08:02 1247569    /lib/i686/nosegneg/libnss_dns-2.7.so
b7746000-b7748000 rw-p 00003000 08:02 1247569    /lib/i686/nosegneg/libnss_dns-2.7.so
b7748000-b7948000 r--p 00000000 08:02 5021743    /usr/lib/locale/locale-archive
b7948000-b7952000 r-xp 00000000 08:02 1245497    /lib/i686/nosegneg/libnss_files-2.7.so
b7952000-b7954000 rw-p 00009000 08:02 1245497    /lib/i686/nosegneg/libnss_files-2.7.so
b7954000-b795c000 r-xp 00000000 08:02 1247560    /lib/i686/nosegneg/libnss_nis-2.7.so
b795c000-b795e000 rw-p 00008000 08:02 1247560    /lib/i686/nosegneg/libnss_nis-2.7.so
b795e000-b7973000 r-xp 00000000 08:02 1245496    /lib/i686/nosegneg/libnsl-2.7.so
b7973000-b7975000 rw-p 00014000 08:02 1245496    /lib/i686/nosegneg/libnsl-2.7.so
b7975000-b7977000 rw-p b7975000 00:00 0
b7977000-b797e000 r-xp 00000000 08:02 1245502    /lib/i686/nosegneg/libnss_compat-2.7.so
b797e000-b7980000 rw-p 00006000 08:02 1245502    /lib/i686/nosegneg/libnss_compat-2.7.so
b7980000-b7982000 rw-p b7980000 00:00 0
b7982000-b7996000 r-xp 00000000 08:02 5007346    /usr/lib/libz.so.1.2.3.3
b7996000-b7997000 rw-p 00013000 08:02 5007346    /usr/lib/libz.so.1.2.3.3
b7997000-b79bf000 r-xp 00000000 08:02 5007425    /usr/lib/libpcre.so.3.12.1
b79bf000-b79c0000 rw-p 00027000 08:02 5007425    /usr/lib/libpcre.so.3.12.Aborted

[irssibot]

• • • Comment 1288 by @bazerka

There's at least one known exploit for crashing irssi via the FiSH module using specifically crafted messages. Unfortunately, this is a bug in the FiSH module, not an issue with Irssi itself.

[irssibot]

• • • Comment 1289 by @Phantasm

Reporting the problem to fish.secure.la. Also confirmed that it is in v1.00 RC5 as well.

[irssibot]

• • • Closed by @bazerka

This is a bug with the fish module, not irssi itself.