Buffer Overflow in Open Dc Hub 0.7.14

From: Donato Ferrante (fdonato_at_autistici.org)
Date: 11/24/04

  • Next message: Conectiva Updates: "[CLA-2004:899] Conectiva Security Announcement - samba" 
    Date: Wed, 24 Nov 2004 15:54:28 -0000
To: <bugtraq@securityfocus.com>, <vuln@secunia.com>, <full-disclosure@lists.netsys.com>, <bugs@securitytracker.com>, <news@securiteam.com>

                               Donato Ferrante

    Application: Open Dc Hub
                  http://opendchub.sourceforge.net/

    Version: 0.7.14

    Bug: Buffer Overflow

    Date: 24-Nov-2004

    Author: Donato Ferrante
                  e-mail: fdonato@autistici.org
                  web: www.autistici.org/fdonato

    xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

    1. Description
    2. The bug
    3. The code
    4. The fix

    xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

    ----------------
    1. Description:
    ----------------

    Vendor's Description:

    "An Open Source Linux/Unix version of the hub software for Direct
    Connect."

    xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

    ------------
    2. The bug:
    ------------

    The program doesn't correctly manage the $RedirectAll command.
    In fact it will have a buffer overflow, letting an attacker to execute
    arbitrary code on the victim system.

    NOTE: To exploit the bug the attacker needs to have admin privilege on
    the victim hub.

    xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

    -------------
    3. The code:
    -------------

    To test the vulnerability:

    http://www.autistici.org/fdonato/poc/OpenDcHub[0714]BOF-poc.zip

    xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

    ------------
    4. The fix:
    ------------

    No fix.
    The vendor has not not replied to my mails.

    In the meantime give admin access only to trusted people.
    If you want you can use my following little patch that should fix this
    bug:

    /* patch */

    --- commands.c 2004-11-21 13:01:48.000000000 +0100
    +++ patch.c 2004-11-21 13:05:33.000000000 +0100
    @@ -2842,7 +2842,7 @@
     {
        char move_string[MAX_HOST_LEN+20];

    - sprintf(move_string, "$ForceMove %s", buf);
    + snprintf(move_string, MAX_HOST_LEN, "$ForceMove %s", buf);

        send_to_humans(move_string, REGULAR | REGISTERED | OP, user);
        remove_all(UNKEYED | NON_LOGGED | REGULAR | REGISTERED | OP, 1, 1);

    /* end patch */

    xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

  • Next message: Conectiva Updates: "[CLA-2004:899] Conectiva Security Announcement - samba"

    Relevant Pages

    • Buffer Overflow in Open Dc Hub 0.7.14
      ... The bug ... The fix ... "An Open Source Linux/Unix version of the hub software for Direct ...
      (Full-Disclosure)
    • [Full-Disclosure] Buffer Overflow in Open Dc Hub 0.7.14
      ... The bug ... The fix ... "An Open Source Linux/Unix version of the hub software for Direct ...
      (Full-Disclosure)
    • [Un] Unangband 0.6.3 released
      ... Allow player to assemble friendly monsters and carry eggs to hatch ... Updated druidic spells to use new region code. ... Fix lockup bugs generating the Old Forest. ... Fix bug where items dropped by monster death would infinitely ...
      (rec.games.roguelike.announce)
    • please pull from the trivial tree
      ... Fix spelling in E1000_DISABLE_PACKET_SPLIT Kconfig description ... +- Finding patch that caused a bug ... +Always try the latest kernel from kernel.org and build from source. ... Length of input string in bytes ...
      (Linux-Kernel)
    • Subterrane v0.194 Alpha Released
      ... system, a character sheet, a ton of new spells, new monsters, item ... Added a character sheet that displays your character's ... Fix: Fixed a bug in the encumbrance calculation and status display ...
      (rec.games.roguelike.announce)