• News
• Infocus
• Foundations
• Microsoft
• Unix
• IDS
• Incidents
• Virus
• Pen-Test
• Firewalls
• Columnists
• Mailing Lists
• Newsletters
• Bugtraq
• Focus on IDS
• Focus on Linux
• Focus on Microsoft
• Forensics
• Pen-test
• Security Basics
• Vuln Dev
• Vulnerabilities
• Jobs
• Job Opportunities
• Resumes
• Job Seekers
• Employers
• Tools
• RSS
• News
• Vulns
• Security Research

• info
• discussion
• exploit
• solution
• references

Tetrix Buffer Overflow Vulnerabaility

Solution:
The following patch should be applied to the tetrinet source:

----------------------------------snip snip-------------------------------

diff -ru tetrinetx-1.13.16.orig/src/main.c tetrinetx-1.13.16/src/main.c

--- tetrinetx-1.13.16.orig/src/main.c Thu Dec 24 00:24:50 1998

+++ tetrinetx-1.13.16/src/main.c Sun Feb 14 16:22:45 1999

@@ -2561,7 +2562,7 @@

/* Someone has just connected. So lets answer them */

void net_telnet(struct net_t *n, char *buf)

{

- unsigned long ip; int k,l; char s[121]; char strg[121];

+ unsigned long ip; int k,l; char s[UHOSTLEN]; char strg[121];

char n1[4], n2[4], n3[4], n4[4];

struct channel_t *chan, *ochan;

struct net_t *net;

diff -ru tetrinetx-1.13.16.orig/src/main.h tetrinetx-1.13.16/src/main.h

--- tetrinetx-1.13.16.orig/src/main.h Thu Dec 24 00:24:50 1998

+++ tetrinetx-1.13.16/src/main.h Sun Feb 14 16:19:06 1999

@@ -48,9 +48,8 @@

#define SERVERBUILD "16" /* What build we are at */

#define NICKLEN 30 /* Maximum length of Nickname */

#define VERLEN 10 /* Maximum length of Tetrinet version */

-#define UHOSTLEN 30 /* Maximum length of Hostname */

+#define UHOSTLEN 256 /* Maximum length of Hostname */

#define TEAMLEN NICKLEN /* Maximum length of teamname */

-/*#define MAXNET 80*/ /* Maximum network sockets */

#define MAXWINLIST 100 /* Maximum entries on Winlist */

#define TELNET_PORT 31457 /* Telnet port to listen on */

#define QUERY_PORT 31456 /* Query port to listen on */

diff -ru tetrinetx-1.13.16.orig/src/net.c tetrinetx-1.13.16/src/net.c

--- tetrinetx-1.13.16.orig/src/net.c Thu Dec 24 00:24:50 1998

+++ tetrinetx-1.13.16/src/net.c Sun Feb 14 16:22:11 1999

@@ -250,15 +250,17 @@

unsigned long ip;

{

struct hostent *hp; unsigned long addr=ip;

- unsigned char *p; static char s[121];

-/* alarm(10);*/

+ unsigned char *p; static char s[UHOSTLEN];

+

hp=gethostbyaddr((char *)&addr,sizeof(addr),AF_INET); /*alarm(0);*/

if (hp==NULL) {

p=(unsigned char *)&addr;

sprintf(s,"%u.%u.%u.%u",p[0],p[1],p[2],p[3]);

return s;

}

- strcpy(s,hp->h_name); return s;

+ strncpy(s,hp->h_name,(UHOSTLEN-1));

+ s[strlen(s)]='\0';

+ return s;

}

/* short routine to answer a connect received on a socket made previously

----------------------------------snip snip-------------------------------