Vulnerability Development mailing list archives

Previous By Date Next
Previous By Thread Next

Conserver Overflow

From: snow () TEARDROP ORG (James Snow)
Date: Tue, 23 May 2000 09:53:59 -0400

This overflow is trivial to fix and I've already emailed the developer,
but I'm curious to know if it would be at all possible to exploit this
overflow.

In conserver-GNAC-6.15 in the source for the conserver daemon:

group.c line 376:

-------------------------
int CheckPasswd(pCLServing, pw_string)
CLIENT *pCLServing;
char *pw_string;
{
    struct passwd *pwd;
    FILE *fp;
    char buf[100];
    char *server, *servers, *this_pw, *user;
    char username[64];  /* same as acid */

...
-------------------------

The username array is what's of interest here. Later on, at line 389:

-------------------------

    strcpy(username, pCLServing->acid);

-------------------------

In client.h, where the CLIENT data structure is defined:

-------------------------

typedef struct client {     /* Connection Information:      */
...
    char acid[128];     /* login and location of client     */
...
} CLIENT;

-------------------------

The acid array is filled with the username and hostname of a connecting
client. Since the username (at least) is supplied by the client, you could
write a custom client to provide a username that completely fills the 128
character array. When this is strcpy'd into the 'username' array as shown
above, you've got 64 bytes of overflow.

Now, to my limited understanding of buffer overflow exploits, this isn't
enough to get us to return pointer that would let us jump into some shell
code. But, it is enough to overflow data that's used in other places. You
could for example overwrite the 16 bytes used for the four pointers
declared just before username. And you could write part way into the 100
bytes of buf.

Could this be exploited then? My guess is that it depends on how the
overwritten data is used. This would probably require a much more detailed
examination of the code, which can be found at

ftp://ftp.gnac.com/pub/conserver/

If anyone has some time on their hands and would care to clobber a
relative newbie with some knowledge on this, I'd be most appreciative.

-Snow
Previous By Date Next
Previous By Thread Next

Current thread: