BugTraq
Back to list
|
Post reply
problems with database files in 'SignatureDB'
Feb 15 2004 03:41PM
LynX (_lynx bk ru)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
File: LynX-adv4_SignatureDB.txt
Date: 15/02/2004
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
o NAME: problems with database files in 'SignatureDB'
o CLASS: denial of service (DOS)
o PROGRAMM: SignatureDB [http://pldaniels.com/signaturedb/]
- Affected versions: 0.1.1
- Immune versions: -
o OS: Linux and UNIX clones
o VENDOR: Paul L Daniels <pldaniels (at) pldaniels (dot) com [email concealed]>
o DESCRIPTION:
'SignatureDB' is actually two components, a signature database which is
available on the internet, and a 'signatureID' program, which scans your files.
You can in effect consider 'SDB/ID' in the same way you consider and use an
'AntiVirus' program, but 'SDB/ID' are aimed at a slightly different sector of
the industry. Its purpose is to provide signatures/fingerprints of common,
annoying emails/files, not specifically viruses.
o VULNERABILITY DESCRIPTION:
'SignatureDB' package contain 'sdbscan' program, which scans files, in
according with specified database file. It is possible to create a big 'key'
parameter in this file, that will reduce to 'Segmentation fault'. Function which
work with contents of database files, are located in 'ringsearch.c' file.
After '#' - going my comments.
Cut from file: 'ringsearch.h'
...
33 struct _infonode {
34 char key[20];
35 char *comment;
36 int major;
37 int minor;
38 int flags;
39 };
...
Cut from file: 'ringsearch.c'
...
537 int RS_load_keys( struct _snode *parent, char *fname ){
/* # where 'fname' - database filename */
...
541 char line[10240]; /* # allocating memory for 10240 bytes, and then use */
/* # only 1024, maybe author was mistaken and last 0 */
/* # is unnecessary :) */
...
562 while (fgets(line, 1023, f)){
...
582 sprintf(info->key,"%s",key); /* # size of 'key' are not checking, its */
/* # can be =< 1018 bytes, and size of */
/* # 'info->key' is equal 20 bytes, so */
/* # 'info->key' can be overflowed */
...
Its only first version of 'SignatureDB', so i think that in the next versions
this problem will be fixed.
P.S. Sorry, for my poor english :).
o VULNERABILITY PREVENTION:
Instead of using 'sprintf' function, will be more correct to use function
'snprintf'.
o EXPLOITING:
It is possible to specify configuration file for 'sdbscan' program, in this
file you may type path to your own database file, which contents can cause
buffer overflow and then 'Segmentation fault'.
Example of exploiting :
[LynX@ /tmp]$ cat my.conf
dbfile=/tmp/fake.db
verbose=1
fastscan=0
fastexit=0
[LynX@ /tmp]$ cat fake.db
AAA ... '1000 x A' ... AAA:1:1:1:1:A:A
[LynX@ /tmp]$ sdbscan --conf_file=my.conf
Segmentation fault (core dumped)
[LynX@ /tmp]$
o VENDOR RESPONSE:
I sent notification mail to the Paul Daniels <pldaniels (at) pldaniels (dot) com [email concealed]> and
did not received an answer.
o CREDITS:
- Thanks: nob0dy, netc0de, Xarth
- Greets: R00T T34M [http://rootteam.void.ru],
void,
LimpidByte,
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Discovered by LynX
<_LynX (at) bk (dot) ru [email concealed]>
/ close your eyes & dream with me /
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.4 (GNU/Linux)
Comment: For info see http://www.gnupg.org
iEYEARECAAYFAkAv8HMACgkQjvZ3gq5fCnGA8gCgnqItklxup0YzArOkT6nn+kNI
5BgAoOf+SFgV1vXH73RcdzIWXbdXa8NK
=iIIl
-----END PGP SIGNATURE-----
[ reply ]
Privacy Statement
Copyright 2010, SecurityFocus
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
File: LynX-adv4_SignatureDB.txt
Date: 15/02/2004
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
o NAME: problems with database files in 'SignatureDB'
o CLASS: denial of service (DOS)
o PROGRAMM: SignatureDB [http://pldaniels.com/signaturedb/]
- Affected versions: 0.1.1
- Immune versions: -
o OS: Linux and UNIX clones
o VENDOR: Paul L Daniels <pldaniels (at) pldaniels (dot) com [email concealed]>
o DESCRIPTION:
'SignatureDB' is actually two components, a signature database which is
available on the internet, and a 'signatureID' program, which scans your files.
You can in effect consider 'SDB/ID' in the same way you consider and use an
'AntiVirus' program, but 'SDB/ID' are aimed at a slightly different sector of
the industry. Its purpose is to provide signatures/fingerprints of common,
annoying emails/files, not specifically viruses.
o VULNERABILITY DESCRIPTION:
'SignatureDB' package contain 'sdbscan' program, which scans files, in
according with specified database file. It is possible to create a big 'key'
parameter in this file, that will reduce to 'Segmentation fault'. Function which
work with contents of database files, are located in 'ringsearch.c' file.
After '#' - going my comments.
Cut from file: 'ringsearch.h'
...
33 struct _infonode {
34 char key[20];
35 char *comment;
36 int major;
37 int minor;
38 int flags;
39 };
...
Cut from file: 'ringsearch.c'
...
537 int RS_load_keys( struct _snode *parent, char *fname ){
/* # where 'fname' - database filename */
...
541 char line[10240]; /* # allocating memory for 10240 bytes, and then use */
/* # only 1024, maybe author was mistaken and last 0 */
/* # is unnecessary :) */
...
562 while (fgets(line, 1023, f)){
...
582 sprintf(info->key,"%s",key); /* # size of 'key' are not checking, its */
/* # can be =< 1018 bytes, and size of */
/* # 'info->key' is equal 20 bytes, so */
/* # 'info->key' can be overflowed */
...
Its only first version of 'SignatureDB', so i think that in the next versions
this problem will be fixed.
P.S. Sorry, for my poor english :).
o VULNERABILITY PREVENTION:
Instead of using 'sprintf' function, will be more correct to use function
'snprintf'.
o EXPLOITING:
It is possible to specify configuration file for 'sdbscan' program, in this
file you may type path to your own database file, which contents can cause
buffer overflow and then 'Segmentation fault'.
Example of exploiting :
[LynX@ /tmp]$ cat my.conf
dbfile=/tmp/fake.db
verbose=1
fastscan=0
fastexit=0
[LynX@ /tmp]$ cat fake.db
AAA ... '1000 x A' ... AAA:1:1:1:1:A:A
[LynX@ /tmp]$ sdbscan --conf_file=my.conf
Segmentation fault (core dumped)
[LynX@ /tmp]$
o VENDOR RESPONSE:
I sent notification mail to the Paul Daniels <pldaniels (at) pldaniels (dot) com [email concealed]> and
did not received an answer.
o CREDITS:
- Thanks: nob0dy, netc0de, Xarth
- Greets: R00T T34M [http://rootteam.void.ru],
void,
LimpidByte,
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Discovered by LynX
<_LynX (at) bk (dot) ru [email concealed]>
/ close your eyes & dream with me /
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.4 (GNU/Linux)
Comment: For info see http://www.gnupg.org
iEYEARECAAYFAkAv8HMACgkQjvZ3gq5fCnGA8gCgnqItklxup0YzArOkT6nn+kNI
5BgAoOf+SFgV1vXH73RcdzIWXbdXa8NK
=iIIl
-----END PGP SIGNATURE-----
[ reply ]