Full Disclosure mailing list archives
Multiple vulnerabilities in DConnect Daemon 0.7.0 (CVS 30 Jul 2006)
From: Luigi Auriemma <aluigi () autistici org>
Date: Sun, 6 Aug 2006 21:27:52 +0200
####################################################################### Luigi Auriemma Application: DConnect Daemon http://www.dc.ds.pg.gda.pl Versions: <= 0.7.0 and CVS <= 30 Jul 2006 Platforms: Windows, *nix, *BSD and others Bugs: A] listen_thread_udp buffer-overflow B] dc_chat NULL pointer C] various format string bugs (privileges needed) Exploitation: remote Date: 06 Aug 2006 Author: Luigi Auriemma e-mail: aluigi () autistici org web: aluigi.org ####################################################################### 1) Introduction 2) Bugs 3) The Code 4) Fix ####################################################################### =============== 1) Introduction =============== DConnect Daemon is an open source P2P server for the Direct Connect protocol. ####################################################################### ======= 2) Bugs ======= ------------------------------------ A] listen_thread_udp buffer-overflow ------------------------------------ The main function which handles the UDP packets is affected by a buffer-overflow vulnerability which happens when a nickname longer than 32 (NICK_LEN) chars is received. The UDP port is disabled by default, the min_slots parameter in dcd.conf must be enabled for using this service.
From main.c:
void listen_thread_udp(void *args) ... char *ip=NULL, bufor[10001], *cmd=NULL, *nick=NULL, *s_slots=NULL, *__strtok_temp__=NULL, nick_prev[NICK_LEN], *filename; ... if (!i)nick_prev[0]=0; else strcpy(nick_prev,nick); ... ----------------------- B] dc_chat NULL pointer ----------------------- The dc_chat function used for handling the messages received from the clients leads to a crash caused by usr->nick which points to NULL if the client has not sent its nickname yet (so it's enough to send a message as first command for exploiting this bug).
From cmd.dc.c:
void dc_chat(dc_param_t *param) { userrec_t *usr = param->usr; ... if (strcmp(cmd,usr->nick)) ... ------------------------------------------------- C] various format string bugs (privileges needed) ------------------------------------------------- privmsg and pubmsg are two functions used to send messages to one or more users. Both the functions require a format argument (like printf) which is missed in some parts of the code. These format string vulnerabilities can be exploited only if the attacker has superior user or administrator privileges.
From cmd.user.c:
void chat_msg(chat_param_t *param) ... if (user[n]!=usr) pubmsg(user[n],msg); ... void chat_msg_all(chat_param_t *param) ... pubmsg(NULL,par); ... void chat_msg_prv(chat_param_t *param) ... if (user[n]!=usr) privmsg(user[n],NULL,msg); ... void chat_msg_prv_all(chat_param_t *param) ... privmsg(NULL,NULL,msg); ...
From penalties.c:
void penalprvmsg(userrec_t *to, char *op, char *fmt, ...) ... privmsg(to,op,str); ...
From cmd.dc.c:
void dc_OpForceMove(dc_param_t *param) ... privmsg(usr,NULL,msg); ... ####################################################################### =========== 3) The Code =========== http://aluigi.org/poc/dconnx.zip ####################################################################### ====== 4) Fix ====== CVS 31 Jul 2006: cvs -d:pserver:anonymous () cvs ds pg gda pl:/home/cvsroot get dc-hub ####################################################################### --- Luigi Auriemma http://aluigi.org http://mirror.aluigi.org _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Multiple vulnerabilities in DConnect Daemon 0.7.0 (CVS 30 Jul 2006) Luigi Auriemma (Aug 06)