[Full-Disclosure] Multiple remote & local buffer overflows discovered in Drcatd

From: Khan Shirani (khan_shirani_at_yahoo.com)
Date: 06/25/04

  • Next message: http-equiv_at_excite.com: "[Full-Disclosure] Microsoft and Security"
    To: full-disclosure@lists.netsys.com
    Date: Fri, 25 Jun 2004 10:39:31 -0700 (PDT)
    
    

    Zone-h Security Advisory
    Date of discovery : 24 june 2004
    Date of release : 25 june 2004
    Bug found by Khan Shirani
    <shirani@zone-h.org>
    http://www.zone-h.org

    ---------------------------------------
    Software : Drcatd
    Bugs : Buffer Overflows , Remote and local (multiple)
    Risk : low
    Platform : *nix
    ---------------------------------------

    Description:
    ========
    Dr.Cat (Dave's Remote Cat) concatenates a file on a remote Linux host that is running the
    Dr.Cat daemon (drcatd) to stdout in the clients terminal. It authenticates users versus
    the standard shadow password authentication facility and spawns a process with that users
    permissions to attempt to access the requested file
    http://www.joltedweb.com/drcat/

    Vulnerability:
    =========
    Muliple local buffer overflows have been discovered . In addition to this , remote exploitation
    is also possible due to a lack of boundry checking of input once a user has been authenticated.
    The vulnerability exists when the remote user sends an overly long filename that doesnt exist.
    This is handled by an sprintf() call which is where the overflow will occur
    vulnerable code:
    ===========
    ----------------------
    drcat-0.5.0-beta\src\drcatd.c
    sprintf(fdne_msg, "%s - File Does Not Exist", buf);
    logIt(fdne_msg);
    sprintf(fd_msg, "%s - File Does Not Exist\n", buf);
    len = sizeof(fd_msg);
    local_send(new_fd, fd_msg, len);
    exit(1);
    ----------------------
    NOTE: Due to the exit(1) from the above snippet, exploitation of this vulnerability is not possible within x86 arche's.

    Vendor Notice:
    ==========
    The vendor has been notified via <dave@joltedweb.com>
    Copyright
    =======

    Contents may not be altered without notification to original author
    permission is granted to reproduce this advisory on public databases.
    shirani@zone-h.org
    and all the zone-h staff.
    http://www.zone-h.org

    __________________________________________________
    Do You Yahoo!?
    Tired of spam? Yahoo! Mail has the best spam protection around
    http://mail.yahoo.com

    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html


  • Next message: http-equiv_at_excite.com: "[Full-Disclosure] Microsoft and Security"

    Relevant Pages

    • multiple remote & local buffer overflows discovered in Drcatd
      ... Date of discovery: 24 june 2004 ... Bug found by Khan Shirani ... Dr.Cat (Dave's Remote Cat) concatenates a file on a remote Linux host that is running the ... The vulnerability exists when the remote user sends an overly long filename that doesnt exist. ...
      (Bugtraq)
    • Re: NSFOCUS SA2002-02 : Microsoft Windows MUP overlong request kernel overflow
      ... I believe this vulnerability can be exploited ... The following pieces of code can be in a HTML ... I have tried to reproduce the bug ... bug so I can do some testing on the remote ...
      (Bugtraq)
    • SecurityFocus Microsoft Newsletter #182
      ... Introducing the world's first and only complete Internal Security Gateway: ... Microsoft Windows XP Explorer.EXE Remote Denial of Service V... ... Apache Error Log Escape Sequence Injection Vulnerability ...
      (Focus-Microsoft)
    • SecurityFocus Microsoft Newsletter #131
      ... MICROSOFT VULNERABILITY SUMMARY ... Advanced Poll Remote Information Disclosure Vulnerability ... PHPNuke News Module Article.PHP SQL Injection Vulnerability ...
      (Focus-Microsoft)
    • SecurityFocus Microsoft Newsletter #171
      ... Better Management for Network Security ... GoodTech Telnet Server Remote Denial Of Service Vulnerabilit... ... ASPApp PortalAPP Remote User Database Access Vulnerability ...
      (Focus-Microsoft)