ID SECURITYVULNS:DOC:980 Type securityvulns Reporter Securityvulns Modified 2000-11-27T00:00:00
Description
format string problems in hybrid-ircd. some fixed
need valid domain, and in-addr.arpa.
bind8, configure check-names warn;
make host %n%n%n%n.host.com in a 1.2.3.4
4.3.2.1.in-addr.arpa in ptr %n%n%n%n.host.com
connect to comstud (CS) server because allows %
connect 2nd client to hybrid server, join channel.
join comstud client to channel, hybrid server crashes.
use comstud client to place ban on channel, hybrid server crashes.
cause nick collision with hybrid and comstud client, hybrid crashes.
send a notice from comstud client to hybrid client, hybrid crashes
-ntn
This message was sent with Sendpad.com.
The sender indicated his or her e-mail address as "ircd@efnet.net"
Send anonymous e-mail right now at http://www.sendpad.com
{"id": "SECURITYVULNS:DOC:980", "bulletinFamily": "software", "title": "hybrid-ircd", "description": "format string problems in hybrid-ircd. some fixed\r\nneed valid domain, and in-addr.arpa.\r\nbind8, configure check-names warn;\r\nmake host %n%n%n%n.host.com in a 1.2.3.4\r\n4.3.2.1.in-addr.arpa in ptr %n%n%n%n.host.com\r\nconnect to comstud (CS) server because allows %\r\nconnect 2nd client to hybrid server, join channel.\r\njoin comstud client to channel, hybrid server crashes.\r\nuse comstud client to place ban on channel, hybrid server crashes.\r\ncause nick collision with hybrid and comstud client, hybrid crashes.\r\nsend a notice from comstud client to hybrid client, hybrid crashes\r\n\r\n-ntn\r\n_________________________________________________________\r\nThis message was sent with Sendpad.com.\r\nThe sender indicated his or her e-mail address as "ircd@efnet.net"\r\nSend anonymous e-mail right now at http://www.sendpad.com", "published": "2000-11-27T00:00:00", "modified": "2000-11-27T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:980", "reporter": "Securityvulns", "references": [], "cvelist": [], "type": "securityvulns", "lastseen": "2018-08-31T11:10:04", "edition": 1, "viewCount": 0, "enchantments": {"score": {"value": 2.2, "vector": "NONE", "modified": "2018-08-31T11:10:04", "rev": 2}, "dependencies": {"references": [{"type": "nessus", "idList": ["EULEROS_SA-2020-1498.NASL", "EULEROS_SA-2020-1457.NASL", "EULEROS_SA-2020-1496.NASL", "EULEROS_SA-2020-1477.NASL", "EULEROS_SA-2020-1491.NASL", "EULEROS_SA-2020-1494.NASL", "EULEROS_SA-2020-1483.NASL", "EULEROS_SA-2020-1489.NASL"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562311220201494", "OPENVAS:1361412562311220201431", "OPENVAS:1361412562311220201489", "OPENVAS:1361412562311220201457", "OPENVAS:1361412562311220201477", "OPENVAS:1361412562311220201400", "OPENVAS:1361412562311220201491", "OPENVAS:1361412562311220201476", "OPENVAS:1361412562311220201430", "OPENVAS:1361412562311220201473"]}], "modified": "2018-08-31T11:10:04", "rev": 2}, "vulnersScore": 2.2}, "affectedSoftware": [], "immutableFields": []}
{"rst": [{"lastseen": "2021-04-21T00:00:00", "bulletinFamily": "ioc", "cvelist": [], "description": "Found **65[.]74.70.251** in [RST Threat Feed](https://www.rstcloud.net/profeed) with score **10**.\n First seen: 2020-12-07T03:00:00, Last seen: 2021-04-21T03:00:00.\n IOC tags: **shellprobe**.\nASN 8047: (First IP 65.74.0.0, Last IP 65.74.127.255).\nASN Name \"GCI\" and Organisation \"GENERAL COMMUNICATION INC\".\nASN hosts 980 domains.\nGEO IP information: City \"Ketchikan\", Country \"United States\".\n[https://rstcloud.net/](https://rstcloud.net/)", "edition": 1, "modified": "2020-12-07T00:00:00", "id": "RST:EBE809A6-A123-31D4-A338-6A6D74AE57A5", "href": "", "published": "2021-04-22T00:00:00", "title": "RST Threat feed. IOC: 65.74.70.251", "type": "rst", "cvss": {}}, {"lastseen": "2021-04-21T00:00:00", "bulletinFamily": "ioc", "cvelist": [], "description": "Found **65[.]74.103.242** in [RST Threat Feed](https://www.rstcloud.net/profeed) with score **2**.\n First seen: 2020-01-02T03:00:00, Last seen: 2021-04-21T03:00:00.\n IOC tags: **malware**.\nASN 8047: (First IP 65.74.0.0, Last IP 65.74.127.255).\nASN Name \"GCI\" and Organisation \"GENERAL COMMUNICATION INC\".\nASN hosts 980 domains.\nGEO IP information: City \"Fort Wainwright\", Country \"United States\".\n[https://rstcloud.net/](https://rstcloud.net/)", "edition": 1, "modified": "2020-01-02T00:00:00", "id": "RST:5AB536CC-5065-39E1-A211-230D602C9629", "href": "", "published": "2021-04-22T00:00:00", "title": "RST Threat feed. IOC: 65.74.103.242", "type": "rst", "cvss": {}}, {"lastseen": "2021-04-20T00:00:00", "bulletinFamily": "ioc", "cvelist": [], "description": "Found **65[.]74.28.94** in [RST Threat Feed](https://www.rstcloud.net/profeed) with score **2**.\n First seen: 2020-10-06T03:00:00, Last seen: 2021-04-20T03:00:00.\n IOC tags: **generic**.\nASN 8047: (First IP 65.74.0.0, Last IP 65.74.127.255).\nASN Name \"GCI\" and Organisation \"GENERAL COMMUNICATION INC\".\nASN hosts 980 domains.\nGEO IP information: City \"Juneau\", Country \"United States\".\n[https://rstcloud.net/](https://rstcloud.net/)", "edition": 1, "modified": "2020-10-06T00:00:00", "id": "RST:4D1CADED-6B0E-3B37-B199-494C11575A29", "href": "", "published": "2021-04-22T00:00:00", "title": "RST Threat feed. IOC: 65.74.28.94", "type": "rst", "cvss": {}}, {"lastseen": "2021-04-20T00:00:00", "bulletinFamily": "ioc", "cvelist": [], "description": "Found **69[.]178.49.209** in [RST Threat Feed](https://www.rstcloud.net/profeed) with score **3**.\n First seen: 2020-12-22T03:00:00, Last seen: 2021-04-20T03:00:00.\n IOC tags: **generic**.\nASN 8047: (First IP 69.178.0.0, Last IP 69.178.127.255).\nASN Name \"GCI\" and Organisation \"GENERAL COMMUNICATION INC\".\nASN hosts 980 domains.\nGEO IP information: City \"Anchorage\", Country \"United States\".\n[https://rstcloud.net/](https://rstcloud.net/)", "edition": 1, "modified": "2020-12-22T00:00:00", "id": "RST:9CDCEF12-03CC-35DA-BA4E-1832344E1109", "href": "", "published": "2021-04-22T00:00:00", "title": "RST Threat feed. IOC: 69.178.49.209", "type": "rst", "cvss": {}}, {"lastseen": "2021-04-20T00:00:00", "bulletinFamily": "ioc", "cvelist": [], "description": "Found **24[.]237.101.250** in [RST Threat Feed](https://www.rstcloud.net/profeed) with score **3**.\n First seen: 2020-12-22T03:00:00, Last seen: 2021-04-20T03:00:00.\n IOC tags: **generic**.\nASN 8047: (First IP 24.237.0.0, Last IP 24.237.255.255).\nASN Name \"GCI\" and Organisation \"GENERAL COMMUNICATION INC\".\nASN hosts 980 domains.\nGEO IP information: City \"Anchorage\", Country \"United States\".\n[https://rstcloud.net/](https://rstcloud.net/)", "edition": 1, "modified": "2020-12-22T00:00:00", "id": "RST:615E691F-8BFC-3F5B-A828-957734D275F9", "href": "", "published": "2021-04-22T00:00:00", "title": "RST Threat feed. IOC: 24.237.101.250", "type": "rst", "cvss": {}}, {"lastseen": "2021-04-20T00:00:00", "bulletinFamily": "ioc", "cvelist": [], "description": "Found **24[.]237.70.53** in [RST Threat Feed](https://www.rstcloud.net/profeed) with score **3**.\n First seen: 2020-12-22T03:00:00, Last seen: 2021-04-20T03:00:00.\n IOC tags: **generic**.\nASN 8047: (First IP 24.237.0.0, Last IP 24.237.255.255).\nASN Name \"GCI\" and Organisation \"GENERAL COMMUNICATION INC\".\nASN hosts 980 domains.\nGEO IP information: City \"Anchorage\", Country \"United States\".\n[https://rstcloud.net/](https://rstcloud.net/)", "edition": 1, "modified": "2020-12-22T00:00:00", "id": "RST:B5DF8F91-7B93-3D4B-A84B-18EDE6C27586", "href": "", "published": "2021-04-22T00:00:00", "title": "RST Threat feed. IOC: 24.237.70.53", "type": "rst", "cvss": {}}, {"lastseen": "2021-04-21T00:00:00", "bulletinFamily": "ioc", "cvelist": [], "description": "Found **206[.]174.118.207** in [RST Threat Feed](https://www.rstcloud.net/profeed) with score **9**.\n First seen: 2020-11-01T03:00:00, Last seen: 2021-04-21T03:00:00.\n IOC tags: **tor_node**.\nASN 8047: (First IP 206.174.0.0, Last IP 206.174.127.255).\nASN Name \"GCI\" and Organisation \"GENERAL COMMUNICATION INC\".\nASN hosts 980 domains.\nGEO IP information: City \"Fairbanks\", Country \"United States\".\n[https://rstcloud.net/](https://rstcloud.net/)", "edition": 1, "modified": "2020-11-01T00:00:00", "id": "RST:6CA8460F-A4F1-3595-9AFD-CF518E19FE34", "href": "", "published": "2021-04-22T00:00:00", "title": "RST Threat feed. IOC: 206.174.118.207", "type": "rst", "cvss": {}}, {"lastseen": "2021-04-21T00:00:00", "bulletinFamily": "ioc", "cvelist": [], "description": "Found **72[.]42.162.79** in [RST Threat Feed](https://www.rstcloud.net/profeed) with score **8**.\n First seen: 2020-09-28T03:00:00, Last seen: 2021-04-21T03:00:00.\n IOC tags: **shellprobe, generic**.\nASN 8047: (First IP 72.42.128.0, Last IP 72.42.191.255).\nASN Name \"GCI\" and Organisation \"GENERAL COMMUNICATION INC\".\nASN hosts 980 domains.\nGEO IP information: City \"Anchorage\", Country \"United States\".\n[https://rstcloud.net/](https://rstcloud.net/)", "edition": 1, "modified": "2020-09-28T00:00:00", "id": "RST:50631EDA-C7CE-319C-AD46-581B1BBF5D89", "href": "", "published": "2021-04-22T00:00:00", "title": "RST Threat feed. IOC: 72.42.162.79", "type": "rst", "cvss": {}}, {"lastseen": "2021-04-21T00:00:00", "bulletinFamily": "ioc", "cvelist": [], "description": "Found **72[.]42.185.198** in [RST Threat Feed](https://www.rstcloud.net/profeed) with score **11**.\n First seen: 2021-01-01T03:00:00, Last seen: 2021-04-21T03:00:00.\n IOC tags: **generic**.\nASN 8047: (First IP 72.42.128.0, Last IP 72.42.191.255).\nASN Name \"GCI\" and Organisation \"GENERAL COMMUNICATION INC\".\nASN hosts 980 domains.\nGEO IP information: City \"Anchorage\", Country \"United States\".\n[https://rstcloud.net/](https://rstcloud.net/)", "edition": 1, "modified": "2021-01-01T00:00:00", "id": "RST:F754ADC3-97B1-386C-8887-4550ED61A0E2", "href": "", "published": "2021-04-22T00:00:00", "title": "RST Threat feed. IOC: 72.42.185.198", "type": "rst", "cvss": {}}, {"lastseen": "2021-04-20T00:00:00", "bulletinFamily": "ioc", "cvelist": [], "description": "Found **209[.]165.163.187** in [RST Threat Feed](https://www.rstcloud.net/profeed) with score **1**.\n First seen: 2020-09-06T03:00:00, Last seen: 2021-04-20T03:00:00.\n IOC tags: **generic**.\nASN 8047: (First IP 209.165.128.0, Last IP 209.165.191.255).\nASN Name \"GCI\" and Organisation \"GENERAL COMMUNICATION INC\".\nASN hosts 980 domains.\nGEO IP information: City \"Barrow\", Country \"United States\".\n[https://rstcloud.net/](https://rstcloud.net/)", "edition": 1, "modified": "2020-09-06T00:00:00", "id": "RST:41094C41-574D-3A3E-9ED4-AEE4840C377D", "href": "", "published": "2021-04-22T00:00:00", "title": "RST Threat feed. IOC: 209.165.163.187", "type": "rst", "cvss": {}}], "cve": [{"lastseen": "2021-04-07T09:42:01", "description": "Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In Netty (io.netty:netty-codec-http2) before version 4.1.60.Final there is a vulnerability that enables request smuggling. If a Content-Length header is present in the original HTTP/2 request, the field is not validated by `Http2MultiplexHandler` as it is propagated up. This is fine as long as the request is not proxied through as HTTP/1.1. If the request comes in as an HTTP/2 stream, gets converted into the HTTP/1.1 domain objects (`HttpRequest`, `HttpContent`, etc.) via `Http2StreamFrameToHttpObjectCodec `and then sent up to the child channel's pipeline and proxied through a remote peer as HTTP/1.1 this may result in request smuggling. In a proxy case, users may assume the content-length is validated somehow, which is not the case. If the request is forwarded to a backend channel that is a HTTP/1.1 connection, the Content-Length now has meaning and needs to be checked. An attacker can smuggle requests inside the body as it gets downgraded from HTTP/2 to HTTP/1.1. For an example attack refer to the linked GitHub Advisory. Users are only affected if all of this is true: `HTTP2MultiplexCodec` or `Http2FrameCodec` is used, `Http2StreamFrameToHttpObjectCodec` is used to convert to HTTP/1.1 objects, and these HTTP/1.1 objects are forwarded to another remote peer. This has been patched in 4.1.60.Final As a workaround, the user can do the validation by themselves by implementing a custom `ChannelInboundHandler` that is put in the `ChannelPipeline` behind `Http2StreamFrameToHttpObjectCodec`.", "edition": 10, "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "baseScore": 5.9, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 3.6}, "published": "2021-03-09T19:15:00", "title": "CVE-2021-21295", "type": "cve", "cwe": ["CWE-444"], "bulletinFamily": "NVD", "cvss2": {"severity": "LOW", "exploitabilityScore": 4.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "HIGH", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 2.6, "vectorString": "AV:N/AC:H/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21295"], "modified": "2021-04-06T12:15:00", "cpe": [], "id": "CVE-2021-21295", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-21295", "cvss": {"score": 2.6, "vector": "AV:N/AC:H/Au:N/C:N/I:P/A:N"}, "cpe23": []}], "github": [{"lastseen": "2021-04-07T18:50:52", "bulletinFamily": "software", "cvelist": ["CVE-2021-21295"], "description": "### Impact\nIf a Content-Length header is present in the original HTTP/2 request, the field is not validated by `Http2MultiplexHandler` as it is propagated up. This is fine as long as the request is not proxied through as HTTP/1.1.\nIf the request comes in as an HTTP/2 stream, gets converted into the HTTP/1.1 domain objects (`HttpRequest`, `HttpContent`, etc.) via `Http2StreamFrameToHttpObjectCodec `and then sent up to the child channel's pipeline and proxied through a remote peer as HTTP/1.1 this may result in request smuggling. \n\nIn a proxy case, users may assume the content-length is validated somehow, which is not the case. If the request is forwarded to a backend channel that is a HTTP/1.1 connection, the Content-Length now has meaning and needs to be checked.\n\nAn attacker can smuggle requests inside the body as it gets downgraded from HTTP/2 to HTTP/1.1. A sample attack request looks like:\n\n```\nPOST / HTTP/2\n:authority:: externaldomain.com\nContent-Length: 4\n\nasdfGET /evilRedirect HTTP/1.1\nHost: internaldomain.com\n```\n\nUsers are only affected if all of this is `true`:\n * `HTTP2MultiplexCodec` or `Http2FrameCodec` is used\n * `Http2StreamFrameToHttpObjectCodec` is used to convert to HTTP/1.1 objects\n * These HTTP/1.1 objects are forwarded to another remote peer.\n \n\n### Patches\nThis has been patched in 4.1.60.Final\n\n### Workarounds\nThe user can do the validation by themselves by implementing a custom `ChannelInboundHandler` that is put in the `ChannelPipeline` behind `Http2StreamFrameToHttpObjectCodec`.\n\n### References\nRelated change to workaround the problem: https://github.com/Netflix/zuul/pull/980", "edition": 7, "modified": "2021-04-07T18:28:30", "published": "2021-03-09T18:49:49", "id": "GHSA-WM47-8V5P-WJPJ", "href": "https://github.com/advisories/GHSA-wm47-8v5p-wjpj", "title": "Possible request smuggling in HTTP/2 due missing validation", "type": "github", "cvss": {"score": 2.6, "vector": "AV:N/AC:H/Au:N/C:N/I:P/A:N"}}]}
