KSalup 1.0.2 : bad address binding

[_kiss_ () guay com]

KSalup is an enhanced port of Winpopup for KDE. It also allows 
the user to send and receive Winpopup messages over a local network (LAN).

it does address binding in a very dangerous way:

(from main.cpp)

i=gethostname(hostname, sizeof(hostname)-1);

[...]

host=gethostbyname(hostname);

[...]

myip=*(uint32_t*)(host->h_addr_list[0]);

[...]

i=setsockopt(sock[2], SOL_SOCKET, SO_REUSEADDR, &b, l);

[...]

sin.sin_family=AF_INET;
        sin.sin_port=htons(138);
        sin.sin_addr.s_addr=myip;

i=::bind(sock[2], (struct sockaddr*)&sin, sizeof(struct sockaddr_in));


if a socket is bound to the wildcard address (0.0.0.0) on KSalup's port, it will capture datagrams originally intended 
to reach KSalup's socket.

this programming error doesn't seem to be exploitable to me, since the socket we are talking about uses port 138, which 
is a privileged port and can only be bounded by root.

anyways, fix should be considered. it just takes to bind also the wildcard address during socket initialization.

      Rafael San Miguel Carrasco
      (_kiss_)
      rsanmcar () alum uax es