BugTraq
Back to list
|
Post reply
multiple remote & local buffer overflows discovered in Drcatd
Jun 25 2004 04:52PM
Khan Shirani (khan_shirani yahoo com)
Zone-h Security Advisory
Date of discovery : 24 june 2004
Date of release : 25 june 2004
Bug found by Khan Shirani
<shirani (at) zone-h (dot) org [email concealed]>
http://www.zone-h.org
---------------------------------------
Software : Drcatd
Bugs : Buffer Overflows , Remote and local (multiple)
Risk : low
Platform : *nix
---------------------------------------
Description:
============
Dr.Cat (Dave's Remote Cat) concatenates a file on a remote Linux host that is running the
Dr.Cat daemon (drcatd) to stdout in the clients terminal. It authenticates users versus
the standard shadow password authentication facility and spawns a process with that users
permissions to attempt to access the requested file
http://www.joltedweb.com/drcat/
Vulnerability:
==============
Muliple local buffer overflows have been discovered . In addition to this , remote exploitation
is also possible due to a lack of boundry checking of input once a user has been authenticated.
The vulnerability exists when the remote user sends an overly long filename that doesnt exist.
This is handled by an sprintf() call which is where the overflow will occur
vulnerable code:
================
----------------------
drcat-0.5.0-beta\src\drcatd.c
sprintf(fdne_msg, "%s - File Does Not Exist", buf);
logIt(fdne_msg);
sprintf(fd_msg, "%s - File Does Not Exist\n", buf);
len = sizeof(fd_msg);
local_send(new_fd, fd_msg, len);
exit(1);
----------------------
NOTE: Due to the exit(1) from the above snippet, exploitation of this vulnerability is not possible within x86 arche's.
Vendor Notice:
==============
The vendor has been notified via <dave (at) joltedweb (dot) com [email concealed]>
Copyright
=========
Contents may not be altered without notification to original author
permission is granted to reproduce this advisory on public databases.
shirani (at) zone-h (dot) org [email concealed]
and all the zone-h staff.
http://www.zone-h.org
[ reply ]
Privacy Statement
Copyright 2010, SecurityFocus
Zone-h Security Advisory
Date of discovery : 24 june 2004
Date of release : 25 june 2004
Bug found by Khan Shirani
<shirani (at) zone-h (dot) org [email concealed]>
http://www.zone-h.org
---------------------------------------
Software : Drcatd
Bugs : Buffer Overflows , Remote and local (multiple)
Risk : low
Platform : *nix
---------------------------------------
Description:
============
Dr.Cat (Dave's Remote Cat) concatenates a file on a remote Linux host that is running the
Dr.Cat daemon (drcatd) to stdout in the clients terminal. It authenticates users versus
the standard shadow password authentication facility and spawns a process with that users
permissions to attempt to access the requested file
http://www.joltedweb.com/drcat/
Vulnerability:
==============
Muliple local buffer overflows have been discovered . In addition to this , remote exploitation
is also possible due to a lack of boundry checking of input once a user has been authenticated.
The vulnerability exists when the remote user sends an overly long filename that doesnt exist.
This is handled by an sprintf() call which is where the overflow will occur
vulnerable code:
================
----------------------
drcat-0.5.0-beta\src\drcatd.c
sprintf(fdne_msg, "%s - File Does Not Exist", buf);
logIt(fdne_msg);
sprintf(fd_msg, "%s - File Does Not Exist\n", buf);
len = sizeof(fd_msg);
local_send(new_fd, fd_msg, len);
exit(1);
----------------------
NOTE: Due to the exit(1) from the above snippet, exploitation of this vulnerability is not possible within x86 arche's.
Vendor Notice:
==============
The vendor has been notified via <dave (at) joltedweb (dot) com [email concealed]>
Copyright
=========
Contents may not be altered without notification to original author
permission is granted to reproduce this advisory on public databases.
shirani (at) zone-h (dot) org [email concealed]
and all the zone-h staff.
http://www.zone-h.org
[ reply ]