Vulnerability Development mailing list archives
Conserver Overflow
From: snow () TEARDROP ORG (James Snow)
Date: Tue, 23 May 2000 09:53:59 -0400
This overflow is trivial to fix and I've already emailed the developer, but I'm curious to know if it would be at all possible to exploit this overflow. In conserver-GNAC-6.15 in the source for the conserver daemon: group.c line 376: ------------------------- int CheckPasswd(pCLServing, pw_string) CLIENT *pCLServing; char *pw_string; { struct passwd *pwd; FILE *fp; char buf[100]; char *server, *servers, *this_pw, *user; char username[64]; /* same as acid */ ... ------------------------- The username array is what's of interest here. Later on, at line 389: ------------------------- strcpy(username, pCLServing->acid); ------------------------- In client.h, where the CLIENT data structure is defined: ------------------------- typedef struct client { /* Connection Information: */ ... char acid[128]; /* login and location of client */ ... } CLIENT; ------------------------- The acid array is filled with the username and hostname of a connecting client. Since the username (at least) is supplied by the client, you could write a custom client to provide a username that completely fills the 128 character array. When this is strcpy'd into the 'username' array as shown above, you've got 64 bytes of overflow. Now, to my limited understanding of buffer overflow exploits, this isn't enough to get us to return pointer that would let us jump into some shell code. But, it is enough to overflow data that's used in other places. You could for example overwrite the 16 bytes used for the four pointers declared just before username. And you could write part way into the 100 bytes of buf. Could this be exploited then? My guess is that it depends on how the overwritten data is used. This would probably require a much more detailed examination of the code, which can be found at ftp://ftp.gnac.com/pub/conserver/ If anyone has some time on their hands and would care to clobber a relative newbie with some knowledge on this, I'd be most appreciative. -Snow
Current thread:
- Re: Why not a changeling? sigipp () WELLA COM BR (May 22)
- Re: Why not a changeling? Daniel Petzen (May 22)
- fdmount 0.8 exploit Paulo Ribeiro (May 22)
- Conserver Overflow James Snow (May 23)
- Re: Why not a changeling? Jeff Bachtel (May 23)
- Re: Why not a changeling? Michael H. Warfield (May 24)
- <Possible follow-ups>
- Re: Why not a changeling? Michael Wojcik (May 22)
- Re: Why not a changeling? White Vampire (May 23)
- Re: Why not a changeling? Dick St.Peters (May 25)
- Re: Why not a changeling? White Vampire (May 25)
- Re: Why not a changeling? White Vampire (May 23)
- Re: Why not a changeling? sigipp () WELLA COM BR (May 22)
- Re: Why not a changeling? Michael Wojcik (May 22)
- Re: Why not a changeling? Maxime Rousseau (May 23)
- Re: Why not a changeling? Michael Wojcik (May 23)