To create new wiki account, please join us on #znc at Libera.Chat and ask admins to create a wiki account for you. You can say thanks to spambots for this inconvenience.

ChangeLog/0.066

From ZNC
Revision as of 09:53, 2 April 2017 by DarthGandalf (talk | contribs)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search
← 0.064 ZNC 0.066 0.068 →


Security critical fixes

There was a privilege escalation bug in webadmin which could allow all ZNC users to write to znc.conf. They could gain shell access through this. (r1395) (r1396)

This is CVE-2009-0759.

Affected versions

This bug affects all versions of ZNC which include the webadmin module. Let's just say this affects every ZNC version, ok? ;)

Who can use this bug?

First, ZNC must have the webadmin module loaded and accessible to the outside. Now any user who already has a valid login can exploit this bug.

An admin must help (unknowingly) to trigger this bug by reloading the config.

Impact

Through this bug users can write arbitrary strings to the znc.conf file.

  • Unprivileged ZNC users can make themselves admin and load the shell module to gain shell access.
  • Unprivileged ZNC users can temporarily overwrite any file ZNC has write access to via ISpoof. This can be used to overwrite ~/.ssh/authorized_keys and gain shell access.
  • Unprivileged ZNC users can permanently truncate any file to which ZNC has write access via ISpoof. ZNC never saves more than 1kB for restoring the ISpoofFile.

How can I protect myself?

Upgrade to ZNC 0.066 or newer or unload webadmin.

What happens?

Webadmin doesn't properly validate user input. If you send a manipulated POST request to webadmin's edit user page which includes newlines in e.g. the QuitMessage field, this field will be written unmodified to the config. This way you can add new lines to znc.conf. The new lines will not be parsed until the next rehash or restart.

This can be done with nearly all input fields in webadmin. Because every user can modify himself via webadmin, every user can exploit this bug.

Thanks

Thanks to cnu for finding and reporting this bug.

New stuff

Fixes

  • savebuff now also works with KeepBuffer turned off. (r1384)
  • webadmin did not properly escape module description which could allow XSS attacks. (r1391)
  • Fix some "use of uninitialized variable" warnings. (r1392)
  • Check the return value of strftime(). This allowed reading stack memory. (r1394)

Minor stuff

  • Some dead code elimination. (r1381)
  • Don't have two places where the version number is defined. (r1382)

Internal stuff

  • Removed some useless and unused CFile members. (r1383)
  • Removed the DEBUG_ONLY define. (r1385)
  • OnFailedLogin() is now called for all failed logins, not only failed IRC ones. This changes CAuthBase API. (r1389)