Bug 1090495 - (CVE-2018-1000178) VUL-0: CVE-2018-1000178: quassel: Corruption of heap metadata leading to preauth remote code execution and DOS
(CVE-2018-1000178)
VUL-0: CVE-2018-1000178: quassel: Corruption of heap metadata leading to prea...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other openSUSE Factory
: P3 - Medium : Major
: ---
Assigned To: Security Team bot
Security Team bot
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2018-04-23 06:23 UTC by Johannes Segitz
Modified: 2018-12-30 21:05 UTC (History)
3 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Johannes Segitz 2018-04-23 06:23:04 UTC
From: nongiach nongiach

I found two vulnerabilities in quasselcore, an IRC connection multiplexer,
one with a high severity and another with a low severity, they are both
privately fixed:
- these patches apply cleanly to 0.12.4 sources
- dev plan to publicly release 0.12.5 including these patches on Tuesday
24.04

This email purpose is to inform distro so they can synchro on Tuesday 24.04
to update all quassel* package up to 0.12.5 release and request 2 CVE
number.
https://github.com/quassel/quassel

==============================================
Vuln 1:
Title: quasselcore, corruption of heap metadata caused by qdatastream
leading to preauth remote code execution.
Severity: high, by default the server port is publicly open and the address
can be requested using the /WHOIS command of IRC protocol.
Description: In Qdatastream protocol each object are prepended with 4 bytes
for the object size, this can be used to trigger allocation errors.
Patch:
https://quassel-irc.org/pub/misc/0001-Implement-custom-deserializer-to-add-our-own-sanity-.patch

Screen POC: https://i.imgur.com/JJ4QcNq.png
Credit: @chaign_c
Information: This vulnerability is not specific to qdatastream.

==============================================
Vuln 2:
Title: quasselcore DDOS
Severity: low, impact only a quasselcore not configured.
Description: A login attempt causes a NULL pointer dereference because when
the database is not initialized.
Patch:
https://quassel-irc.org/pub/misc/0002-Reject-clients-that-attempt-to-login-before-the-core.patch
Credit: @chaign_c

==============================================

With lead dev agreement, POC will be released here
https://github.com/nongiach/CVE/ in one month from now.
A big thx to quassel team for their quick responses and reaction.
Comment 1 Johannes Segitz 2018-04-23 06:23:25 UTC
CRD: 2018-04-24
Comment 2 Johannes Segitz 2018-04-23 06:26:47 UTC
This is a embargoed bug. This means that this information is not public. Please
- do not talk to other people about this unless they're involved in fixing the issue
- do not submit this into OBS (e.g. fix Leap) until this is public
- do not make this bug public
- Please be aware that the SUSE:SLE-15:GA codestream is available via OBS. This means that you can't submit security fixes for embargoed issues to SLE 15 until they become public.
Comment 3 Tomáš Chvátal 2018-04-25 08:40:28 UTC
Done and building, submitted to 42.3 and TW (leap 15 will inherit it from there).

whenever we have CVE numbers please sr the changelog update or just let me know.
Comment 4 Swamp Workflow Management 2018-04-25 09:00:13 UTC
This is an autogenerated message for OBS integration:
This bug (1090495) was mentioned in
https://build.opensuse.org/request/show/600829 Factory / quassel
https://build.opensuse.org/request/show/600830 42.3 / quassel
Comment 5 Karol Babioch 2018-04-25 09:11:55 UTC
Making the bug public, since upstream released a new version and the patches/commits are public now and are also mentioned in the ChangeLog:

* Add sanity checks for QDataStream deserialization (e.g. for size)
* Prevent clients from trying to login to an unconfigured core, avoiding a crash

https://github.com/quassel/quassel/commit/2b777e99fc9f74d4ed21491710260664a1721d1f
https://github.com/quassel/quassel/commit/e17fca767d60c06ca02bc5898ced04f06d3670bd
Comment 6 Karol Babioch 2018-04-25 10:02:34 UTC
No CVEs yet, will add them once known.
Comment 7 Marcus Meissner 2018-05-02 06:25:33 UTC
Vuln1: CVE-2018-1000178,  CWE-120: heap corruption
{"data_version": "4.0","references": {"reference_data": [{"url": "
https://i.imgur.com/JJ4QcNq.png"},{"url": "https://github.com/quassel/
quassel/blob/master/src/common/protocols/datastream/datastreampeer.cpp#L62
"}]},"description": {"description_data": [{"lang": "eng","value": "A heap
corruption of type CWE-120 exists in quassel version 0.12.4 in quasselcore
in void DataStreamPeer::processMessage(const QByteArray &msg),
datastreampeer.cpp line 62 that allows an attacker to execute code
remotely."}]},"data_type": "CVE","affects": {"vendor": {"vendor_data":
[{"product": {"product_data": [{"version": {"version_data":
[{"version_value": "0.12.4>version"}]},"product_name": "quasselcore,
quasselclient"}]},"vendor_name": "quassel"}]}},"CVE_data_meta":
{"DATE_ASSIGNED": "2018-04-30T19:35:42.127351","DATE_REQUESTED":
"2018-04-23T00:00:00","ID": "CVE-2018-1000178","ASSIGNER": "
kurt@seifried.org","REQUESTER": "nongiach@gmail.com"},"data_format":
"MITRE","problemtype": {"problemtype_data": [{"description": [{"lang":
"eng","value": "CWE-120: heap corruption"}]}]}}

Vuln2:  CVE-2018-1000179,  CWE-476: NULL Pointer Dereference
{"data_version": "4.0","references": {"reference_data": [{"url": "
https://github.com/quassel/quassel/blob/master/src/core/
coreauthhandler.cpp#L236"}]},"description": {"description_data": [{"lang":
"eng","value": "A NULL Pointer Dereference of CWE-476 exists in quassel
version 0.12.4 in the quasselcore void CoreAuthHandler::handle(const Login
&msg), coreauthhandler.cpp  line 235 that allows an atacker to denial of
service."}]},"data_type": "CVE","affects": {"vendor": {"vendor_data":
[{"product": {"product_data": [{"version": {"version_data":
[{"version_value": "0.12.4>version"}]},"product_name":
"quasselcore"}]},"vendor_name": "quassel"}]}},"CVE_data_meta":
{"DATE_ASSIGNED": "2018-04-30T19:35:42.127797","DATE_REQUESTED":
"2018-04-23T00:00:00","ID": "CVE-2018-1000179","ASSIGNER": "
kurt@seifried.org","REQUESTER": "nongiach@gmail.com"},"data_format":
"MITRE","problemtype": {"problemtype_data": [{"description": [{"lang":
"eng","value": "CWE-476: NULL Pointer Dereference"}]}]}}
Comment 8 Swamp Workflow Management 2018-05-02 10:07:55 UTC
openSUSE-SU-2018:1119-1: An update that fixes two vulnerabilities is now available.

Category: security (moderate)
Bug References: 1069468,1090495
CVE References: CVE-2018-1000178,CVE-2018-1000179
Sources used:
openSUSE Leap 42.3 (src):    quassel-0.12.5-5.3.1
Comment 9 Swamp Workflow Management 2018-07-26 09:40:05 UTC
This is an autogenerated message for OBS integration:
This bug (1090495) was mentioned in
https://build.opensuse.org/request/show/625384 42.3 / quassel
Comment 10 Andreas Stieger 2018-12-30 21:05:44 UTC
done