InspIRCd Security Advisory 2025-01

Summary

InspIRCd before v4.7.0 contains an unhandled exception from the {fmt} library. When a server operator account has a custom connect class set (either in <oper:class> or <type:class>) this vulnerability can be used to remotely crash an InspIRCd server by any user logged into that server operator account.

Thanks to an anonymous user for reporting this issue and @siniStar7 for help with diagnosis.

Details

When a server operator with a custom connect class logs out of their server operator account InspIRCd tries to restore the default connect class to that user. In cases where the default connect class can not be found InspIRCd writes a log message and keeps the current connect class. The most common case for this to happen is when a server operator is logging out of their account on disconnecting from a server but it can also be triggered by no connect class existing for the user to be put into.

Unfortunately, the message that InspIRCd wrote to the log when unable to restore the default message contained an invalid format string resulting in the {fmt} library throwing an exception which went unhandled. This resulted in the C++ runtime calling std::terminate to terminate the InspIRCd process.

This issue was resolved by fixing the malformed format string, adding {fmt} exception handling to Log::Manager::Write to avoid this in the future, and by disabling restoration of the default connect class on quit as it is unnecessary in this case.

It is not expected that this vulnerability will affect many users as it requires privileged access and using a custom connect class for server operators is reasonably uncommon.

Affected Versions

This vulnerability is present in the following releases:

This vulnerability is fixed in version 4.7.0. It is strongly recommended that all affected users upgrade.

If upgrading is not possible then all all places in which <oper:class> or <type:class> are set should be temporarily unset.

History

References