[UNIX] Drcatd Multiple Buffer Overflows
From: SecuriTeam (support_at_securiteam.com)
To: email@example.com Date: 28 Jun 2004 18:37:03 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
- - - - - - - - -
Drcatd Multiple Buffer Overflows
<http://www.joltedweb.com/drcat/ > Dave's Remote Cat concatenates a file
on a remote Linux host that is running the Dr.Cat daemon (drcatd) to
stdout in the clients terminal. It authenticates users versus the standard
shadow password authentication facility and spawns a process with that
users permission to attempt to access the requested file.
Multiple local buffer overflows and a remotely triggered buffer overflow
have been found in the remote cat daemon. The remote overflow is triggered
once an overly long filename string of a file that does not exist is
passed to the server.
* Drcatd version 0.5.0-beta
When a filename is passed to the server remotely, after a user has
authenticated it is possible to pass an overly long filename string. If
the file specified does not exist, the server logs the error. However,
this is handled by a sprintf() function call without any bounds checking,
leading to a remotely exploitable buffer overflow. An excerpt from the
vulnerable code is presented below:
sprintf(fdne_msg, "%s - File Does Not Exist", buf);
sprintf(fd_msg, "%s - File Does Not Exist\n", buf);
len = sizeof(fd_msg);
local_send(new_fd, fd_msg, len);
Note: Due to the exit system call it is not possible to exploit the
overflow on the 80x86 architecture.
The information has been provided by <mailto:firstname.lastname@example.org> Khan
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: email@example.com
In order to subscribe to the mailing list, simply forward this email to: firstname.lastname@example.org
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.