Bugtraq mailing list archives
Re: Tetrix 1.13.16 is Vulnerable
From: pavel () BUG UCW CZ (Pavel Machek)
Date: Fri, 19 Feb 1999 11:04:42 +0100
Hi!
I have recently found a buffer overflow in a TetriNet daemon for Linux called "Tetrix". To exploit this bug, you will need a hostname longer than 122 characters, and any method of connecting to the host on port 31457. Once you are connected, the overflow should take place. here is the patch!
...which does not work.
diff -ru tetrinetx-1.13.16.orig/src/net.c tetrinetx-1.13.16/src/net.c --- tetrinetx-1.13.16.orig/src/net.c Thu Dec 24 00:24:50 1998 +++ tetrinetx-1.13.16/src/net.c Sun Feb 14 16:22:11 1999 @@ -250,15 +250,17 @@ unsigned long ip; { struct hostent *hp; unsigned long addr=ip; - unsigned char *p; static char s[121]; -/* alarm(10);*/ + unsigned char *p; static char s[UHOSTLEN]; + hp=gethostbyaddr((char *)&addr,sizeof(addr),AF_INET); /*alarm(0);*/ if (hp==NULL) { p=(unsigned char *)&addr; sprintf(s,"%u.%u.%u.%u",p[0],p[1],p[2],p[3]); return s; } - strcpy(s,hp->h_name); return s; + strncpy(s,hp->h_name,(UHOSTLEN-1)); + s[strlen(s)]='\0'; + return s;
If s is not null-terminated after strncpy... The strncpy() function is similar, except that not more than n bytes of src are copied. Thus, if there is no null byte among the first n bytes of src, the result wil not be null-terminated. ...then s[strlen(s)]='\0'; will not help it - because strlen() looks for \0 :-). s[UHOSTLEN-1]='\0'; would be correct. Pavel -- I'm really pavel () atrey karlin mff cuni cz. Pavel Look at http://atrey.karlin.mff.cuni.cz/~pavel/ ;-).
Current thread:
- Re: [proftpd-l] root compromise ? (fwd), (continued)
- Re: [proftpd-l] root compromise ? (fwd) Nic Bellamy (Feb 14)
- ICQ99 crash loser (Feb 14)
- Re: ICQ99 crash Eric J. Stevens (Feb 15)
- Re: ICQ99 crash Joe Stewart (Feb 16)
- Re: ICQ99 crash Timothy Doane (Feb 16)
- Website Pro v2.0 (NT) Configuration Issues Christian Antkow (Feb 16)
- [HERT] Advisory #002 Buffer overflow in lsof Anthony C . Zboralski (Feb 17)
- [SECURITY] New versions of super fixes two buffer overflows joey () FINLANDIA INFODROM NORTH DE (Feb 18)
- Re: [HERT] Advisory #002 Buffer overflow in lsof Vic Abell (Feb 18)
- Tetrix 1.13.16 is Vulnerable Steven Hodges (Feb 17)
- Re: Tetrix 1.13.16 is Vulnerable Pavel Machek (Feb 19)
- ADMsnmp SNMP Audit scanner root (Feb 17)
- Re: [HERT] Advisory #002 Buffer overflow in lsof Gene Spafford (Feb 18)
- Re: [HERT] Advisory #002 Buffer overflow in lsof Theo de Raadt (Feb 18)
- Re: [HERT] Advisory #002 Buffer overflow in lsof Gene Spafford (Feb 18)
- IE0199.exe uninstaller David Brumley (Feb 19)
- Re: [HERT] Advisory #002 Buffer overflow in lsof Weld Pond (Feb 19)
- Re: [HERT] Advisory #002 Buffer overflow in lsof Valdis.Kletnieks () VT EDU (Feb 19)
- Plaintext Password in Tractive's Remote Manager Software Trevor Gryffyn (Feb 19)
- Re: [HERT] Advisory #002 Buffer overflow in lsof Peter W (Feb 19)
- Re: [HERT] Advisory #002 Buffer overflow in lsof John DiMarco (Feb 19)