[UNIX] Drcatd Multiple Buffer Overflows

From: SecuriTeam (support_at_securiteam.com)
Date: 06/28/04

  • Next message: SecuriTeam: "[UNIX] vBulletin HTML Injection Vulnerability"
    To: list@securiteam.com
    Date: 28 Jun 2004 18:37:03 +0200

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    The SecuriTeam alerts list - Free, Accurate, Independent.

    Get your security news from a reliable source.

    - - - - - - - - -

      Drcatd Multiple Buffer Overflows


     <http://www.joltedweb.com/drcat/ > Dave's Remote Cat concatenates a file
    on a remote Linux host that is running the Dr.Cat daemon (drcatd) to
    stdout in the clients terminal. It authenticates users versus the standard
    shadow password authentication facility and spawns a process with that
    users permission to attempt to access the requested file.

    Multiple local buffer overflows and a remotely triggered buffer overflow
    have been found in the remote cat daemon. The remote overflow is triggered
    once an overly long filename string of a file that does not exist is
    passed to the server.


    Vulnerable Systems:
     * Drcatd version 0.5.0-beta

    When a filename is passed to the server remotely, after a user has
    authenticated it is possible to pass an overly long filename string. If
    the file specified does not exist, the server logs the error. However,
    this is handled by a sprintf() function call without any bounds checking,
    leading to a remotely exploitable buffer overflow. An excerpt from the
    vulnerable code is presented below:
    sprintf(fdne_msg, "%s - File Does Not Exist", buf);
    sprintf(fd_msg, "%s - File Does Not Exist\n", buf);
    len = sizeof(fd_msg);
    local_send(new_fd, fd_msg, len);


    Note: Due to the exit system call it is not possible to exploit the
    overflow on the 80x86 architecture.


    The information has been provided by <mailto:khan_shirani@yahoo.com> Khan


    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com


    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

  • Next message: SecuriTeam: "[UNIX] vBulletin HTML Injection Vulnerability"