|← 0.064||ZNC 0.066||0.068 →|
|This is an old ZNC version. If you still use it, please consider upgrading to 1.7.0.|
Security critical fixes
This is CVE-2009-0759.
This bug affects all versions of ZNC which include the webadmin module. Let's just say this affects every ZNC version, ok? ;)
Who can use this bug?
First, ZNC must have the webadmin module loaded and accessible to the outside. Now any user who already has a valid login can exploit this bug.
An admin must help (unknowingly) to trigger this bug by reloading the config.
Through this bug users can write arbitrary strings to the znc.conf file.
- Unprivileged ZNC users can make themselves admin and load the shell module to gain shell access.
- Unprivileged ZNC users can temporarily overwrite any file ZNC has write access to via ISpoof. This can be used to overwrite ~/.ssh/authorized_keys and gain shell access.
- Unprivileged ZNC users can permanently truncate any file to which ZNC has write access via ISpoof. ZNC never saves more than 1kB for restoring the ISpoofFile.
How can I protect myself?
Upgrade to ZNC 0.066 or newer or unload webadmin.
Webadmin doesn't properly validate user input. If you send a manipulated POST request to webadmin's edit user page which includes newlines in e.g. the QuitMessage field, this field will be written unmodified to the config. This way you can add new lines to znc.conf. The new lines will not be parsed until the next rehash or restart.
This can be done with nearly all input fields in webadmin. Because every user can modify himself via webadmin, every user can exploit this bug.
Thanks to cnu for finding and reporting this bug.
- Added the admin module. (r1379) (r1386)
- savebuff and away no longer ask for a password on startup. (r1388)
- Added the fail2ban module. (r1390)
- savebuff now also works with KeepBuffer turned off. (r1384)
- webadmin did not properly escape module description which could allow XSS attacks. (r1391)
- Fix some "use of uninitialized variable" warnings. (r1392)
- Check the return value of strftime(). This allowed reading stack memory. (r1394)
- Some dead code elimination. (r1381)
- Don't have two places where the version number is defined. (r1382)