View Issue Details

IDProjectCategoryView StatusLast Update
0005925unrealircdpublic2021-06-25 11:54
ReporterValware Assigned Tosyzop  
PrioritynormalSeveritytweakReproducibilityalways
Status resolvedResolutionfixed 
Product Version5.2.0 
Fixed in Version5.2.1-rc1 
Summary0005925: Validate UID in UID command
DescriptionIt is possible to send an invalid UID (even a normal nick) as the UID parameter in the UID command (so the 6th parameter).

Tried this myself using a pseudeoserver and confirmed I can do it
TagsNo tags attached.
3rd party modules

Activities

syzop

2021-06-24 17:03

administrator   ~0022027

Can you show, like a paste of traffic (line) and then referencing what you think is wrong?

Valware

2021-06-24 17:17

reporter   ~0022028

This isn't actually anope, but I noticed that they were set this way in anope's anope_user SQL table, and connecting with it as a credential allows it

:69L UID NickServ 0 1624497040 services services.host NickServ 0 +oS * Clk-BA0161F4.host * :Nickname Registration Service

the 8th token here, which I believe is UID
I'm not 100% on what's what, but I was told somewhere twice that a UID is supposed to start with a digit because the first three chars are supposed to reflect the SID.

syzop

2021-06-24 17:50

administrator   ~0022029

Last edited: 2021-06-24 17:53

Ah ok, because yeah.. anope traffic looks fine, it uses a proper UID. I'll remove all anope references and update the title of this bug to reflect the need for validation of the UID parameter.

syzop

2021-06-25 11:54

administrator   ~0022031

Thanks for the report, should now be fixed. It should not affect any services out there. If it does, do let me know.
https://github.com/unrealircd/unrealircd/commit/26a3444f4e530c1fa5b86d98c93418a5652aab4d

commit 26a3444f4e530c1fa5b86d98c93418a5652aab4d (HEAD -> unreal52, origin/unreal52, origin/HEAD)
Author: Bram Matthys <syzop@vulnscan.org>
Date: Fri Jun 25 11:43:52 2021 +0200

    Validate the UID in cmd_uid(). Reported by Valware in
    https://bugs.unrealircd.org/view.php?id=5925
    
    This does two things in cmd_uid() now:
    * It checks if parameter 6 in UID is a valid UID, using valid_uid()
    * It checks if the first 3 characters of the UID match the SID

Issue History

Date Modified Username Field Change
2021-06-24 07:23 Valware New Issue
2021-06-24 17:03 syzop Note Added: 0022027
2021-06-24 17:04 syzop Assigned To => syzop
2021-06-24 17:04 syzop Status new => feedback
2021-06-24 17:17 Valware Note Added: 0022028
2021-06-24 17:50 syzop Summary UIDs can (and are in the case of anope) not reflect SID => Validate UID in UID command
2021-06-24 17:50 syzop Description Updated
2021-06-24 17:50 syzop Steps to Reproduce Updated
2021-06-24 17:50 syzop Note Added: 0022029
2021-06-24 17:50 syzop Status feedback => confirmed
2021-06-24 17:53 syzop Note Edited: 0022029
2021-06-25 11:37 syzop Priority low => normal
2021-06-25 11:54 syzop Status confirmed => resolved
2021-06-25 11:54 syzop Resolution open => fixed
2021-06-25 11:54 syzop Fixed in Version => 5.2.1-rc1
2021-06-25 11:54 syzop Note Added: 0022031