Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Buffer Overflow in Open Dc Hub 0.7.14

From: "Donato Ferrante" <fdonato () autistici org>
Date: Wed, 24 Nov 2004 15:54:28 -0000

                           Donato Ferrante


Application:  Open Dc Hub
              http://opendchub.sourceforge.net/

Version:      0.7.14

Bug:          Buffer Overflow

Date:         24-Nov-2004

Author:       Donato Ferrante
              e-mail: fdonato () autistici org
              web:    www.autistici.org/fdonato



xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

1. Description
2. The bug
3. The code
4. The fix



xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

----------------
1. Description:
----------------

Vendor's Description:

"An Open Source Linux/Unix version of the hub software for Direct
Connect."



xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

------------
2. The bug:
------------

The program doesn't correctly manage the $RedirectAll command.
In fact it will have a buffer overflow, letting an attacker to execute
arbitrary code on the victim system.

NOTE: To exploit the bug the attacker needs to have admin privilege on
the victim hub.



xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

-------------
3. The code:
-------------

To test the vulnerability:

http://www.autistici.org/fdonato/poc/OpenDcHub[0714]BOF-poc.zip



xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

------------
4. The fix:
------------

No fix.
The vendor has not not replied to my mails.

In the meantime give admin access only to trusted people.
If you want you can use my following little patch that should fix this
bug:


/* patch */


--- commands.c  2004-11-21 13:01:48.000000000 +0100
+++ patch.c     2004-11-21 13:05:33.000000000 +0100
@@ -2842,7 +2842,7 @@
 {
    char move_string[MAX_HOST_LEN+20];

-   sprintf(move_string, "$ForceMove %s", buf);
+   snprintf(move_string, MAX_HOST_LEN, "$ForceMove %s", buf);

    send_to_humans(move_string, REGULAR | REGISTERED | OP, user);
    remove_all(UNKEYED | NON_LOGGED | REGULAR | REGISTERED | OP, 1, 1);


/* end patch */



xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
Previous By Date Next
Previous By Thread Next

Current thread: