Vulnerability Development mailing list archives
KSalup 1.0.2 : bad address binding
From: _kiss_ () guay com
Date: Sun, 20 Jan 2002 01:51:01 +0100 (CET)
KSalup is an enhanced port of Winpopup for KDE. It also allows the user to send and receive Winpopup messages over a local network (LAN). it does address binding in a very dangerous way: (from main.cpp) i=gethostname(hostname, sizeof(hostname)-1); [...] host=gethostbyname(hostname); [...] myip=*(uint32_t*)(host->h_addr_list[0]); [...] i=setsockopt(sock[2], SOL_SOCKET, SO_REUSEADDR, &b, l); [...] sin.sin_family=AF_INET; sin.sin_port=htons(138); sin.sin_addr.s_addr=myip; i=::bind(sock[2], (struct sockaddr*)&sin, sizeof(struct sockaddr_in)); if a socket is bound to the wildcard address (0.0.0.0) on KSalup's port, it will capture datagrams originally intended to reach KSalup's socket. this programming error doesn't seem to be exploitable to me, since the socket we are talking about uses port 138, which is a privileged port and can only be bounded by root. anyways, fix should be considered. it just takes to bind also the wildcard address during socket initialization. Rafael San Miguel Carrasco (_kiss_) rsanmcar () alum uax es
Current thread:
- KSalup 1.0.2 : bad address binding _kiss_ (Jan 20)