[UNIX] Drcatd Multiple Buffer Overflows

From: SecuriTeam (support_at_securiteam.com)
Date: 06/28/04

  • Next message: SecuriTeam: "[UNIX] vBulletin HTML Injection Vulnerability"
    To: list@securiteam.com
    Date: 28 Jun 2004 18:37:03 +0200
    
    

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    The SecuriTeam alerts list - Free, Accurate, Independent.

    Get your security news from a reliable source.
    http://www.securiteam.com/mailinglist.html

    - - - - - - - - -

      Drcatd Multiple Buffer Overflows
    ------------------------------------------------------------------------

    SUMMARY

     <http://www.joltedweb.com/drcat/ > Dave's Remote Cat concatenates a file
    on a remote Linux host that is running the Dr.Cat daemon (drcatd) to
    stdout in the clients terminal. It authenticates users versus the standard
    shadow password authentication facility and spawns a process with that
    users permission to attempt to access the requested file.

    Multiple local buffer overflows and a remotely triggered buffer overflow
    have been found in the remote cat daemon. The remote overflow is triggered
    once an overly long filename string of a file that does not exist is
    passed to the server.

    DETAILS

    Vulnerable Systems:
     * Drcatd version 0.5.0-beta

    When a filename is passed to the server remotely, after a user has
    authenticated it is possible to pass an overly long filename string. If
    the file specified does not exist, the server logs the error. However,
    this is handled by a sprintf() function call without any bounds checking,
    leading to a remotely exploitable buffer overflow. An excerpt from the
    vulnerable code is presented below:
    drcat-0.5.0-beta\src\drcatd.c
    sprintf(fdne_msg, "%s - File Does Not Exist", buf);
    logIt(fdne_msg);
    sprintf(fd_msg, "%s - File Does Not Exist\n", buf);
    len = sizeof(fd_msg);
    local_send(new_fd, fd_msg, len);

    exit(1);

    Note: Due to the exit system call it is not possible to exploit the
    overflow on the 80x86 architecture.

    ADDITIONAL INFORMATION

    The information has been provided by <mailto:khan_shirani@yahoo.com> Khan
    Shirani.

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.


  • Next message: SecuriTeam: "[UNIX] vBulletin HTML Injection Vulnerability"

    Relevant Pages

    • [NT] COOL! Remote Control DoS
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... excellent remote computing system that is very easy to use. ... Remote Control 1.12 ... Control (server) component that could allow a remote attacker to crash the ...
      (Securiteam)
    • [NEWS] Need For Speed Hot Pursuit II Multiplayer Client Buffer Overflow
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... The NFSHP2 client is vulnerable to a buffer overflow caused by a long ... The information queries are made automatically by every client that enters ... each and every server listed in the game's server list. ...
      (Securiteam)
    • [NT] Multiple Vulnerabilities in winShadow
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... product that allows you to remote control session on the Internet or ... The winShadow product has been found to contain multiple vulnerabilities ... By connecting to the server and issuing a long username or password, ...
      (Securiteam)
    • [NT] Multiple Vulnerabilities in w3who ISAPI DLL
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... "W3Who is an Internet Server Application ... XSS vulnerability when displaying HTTP headers: ... Buffer overflow when called with long parameter name: ...
      (Securiteam)
    • [EXPL] Windows Lsasrv.dll RPC Buffer Overflow (MS04-011)
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Security Authority Service Remote Buffer Overflow, ... char sendbuf; ...
      (Securiteam)