lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20040215154152.32653.qmail@www.securityfocus.com>
Date: 15 Feb 2004 15:41:52 -0000
From: LynX <_lynx@...ru>
To: bugtraq@...urityfocus.com
Subject: problems with database files in 'SignatureDB'




-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
 File: LynX-adv4_SignatureDB.txt
 Date: 15/02/2004
 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 

 o NAME: problems with database files in 'SignatureDB'

 o CLASS: denial of service (DOS)

 o PROGRAMM: SignatureDB [http://pldaniels.com/signaturedb/]
  - Affected versions: 0.1.1
  - Immune versions: -

 o OS: Linux and UNIX clones

 o VENDOR: Paul L Daniels <pldaniels@...aniels.com>

 o DESCRIPTION:
   'SignatureDB' is actually two components, a signature database which is
  available on the internet, and a 'signatureID' program, which scans your files.
  You can in effect consider 'SDB/ID' in the same way you consider and use an
  'AntiVirus' program, but 'SDB/ID' are aimed at a slightly different sector of
  the industry. Its purpose is to provide signatures/fingerprints of common,
  annoying emails/files, not specifically viruses.
   
 o VULNERABILITY DESCRIPTION:
   'SignatureDB' package contain 'sdbscan' program, which scans files, in 
  according with specified database file. It is possible to create a big 'key'
  parameter in this file, that will reduce to 'Segmentation fault'. Function which
  work with contents of database files, are located in 'ringsearch.c' file. 
   After '#' - going my comments.
   
   Cut from file: 'ringsearch.h'
   ...
   33 struct _infonode {
   34  char key[20];
   35  char *comment;
   36  int major;
   37  int minor;
   38  int flags;
   39 };
   ...

   Cut from file: 'ringsearch.c'
   ...
   537 int RS_load_keys( struct _snode *parent, char *fname ){
                        /* # where 'fname' - database filename */
   ...
   541  char line[10240]; /* # allocating memory for 10240 bytes, and then use */
                          /* # only 1024, maybe author was mistaken and last 0 */
                          /* # is unnecessary :) */
   ...
   562   while (fgets(line, 1023, f)){
   ...
   582    sprintf(info->key,"%s",key); /* # size of 'key' are not checking, its */
                                       /* # can be =< 1018 bytes, and size of */
                                       /* # 'info->key' is equal 20 bytes, so */
                                       /* # 'info->key' can be overflowed */
   ...

   Its only first version of 'SignatureDB', so i think that in the next versions
  this problem will be fixed.
   P.S. Sorry, for my poor english :).

 o VULNERABILITY PREVENTION:
   Instead of using 'sprintf' function, will be more correct to use function
  'snprintf'.

 o EXPLOITING:
   It is possible to specify configuration file for 'sdbscan' program, in this
  file you may type path to your own database file, which contents can cause
  buffer overflow and then 'Segmentation fault'.
   
   Example of exploiting :
   
   [LynX@ /tmp]$ cat my.conf
   dbfile=/tmp/fake.db
   verbose=1
   fastscan=0
   fastexit=0
   [LynX@ /tmp]$ cat fake.db
   AAA ... '1000 x A' ... AAA:1:1:1:1:A:A
   [LynX@ /tmp]$ sdbscan --conf_file=my.conf
   Segmentation fault (core dumped) 
   [LynX@ /tmp]$
 
 o VENDOR RESPONSE:
   I sent notification mail to the Paul Daniels <pldaniels@...aniels.com> and
  did not received an answer.

 o CREDITS:
  - Thanks: nob0dy, netc0de, Xarth
  - Greets: R00T T34M [http://rootteam.void.ru],
            void,
            LimpidByte,
 
 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
                                                                Discovered by LynX
                                                                     <_LynX@...ru>
                                               / close your eyes & dream with me /
 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.4 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iEYEARECAAYFAkAv8HMACgkQjvZ3gq5fCnGA8gCgnqItklxup0YzArOkT6nn+kNI
5BgAoOf+SFgV1vXH73RcdzIWXbdXa8NK
=iIIl
-----END PGP SIGNATURE-----


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ