lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-Id: <20060806212752.d94102af.aluigi@autistici.org>
Date: Sun, 6 Aug 2006 21:27:52 +0200
From: Luigi Auriemma <aluigi@...istici.org>
To: bugtraq@...urityfocus.com, bugs@...uritytracker.com,
	news@...uriteam.com, full-disclosure@...ts.grok.org.uk,
	vuln@...unia.com
Subject: Multiple vulnerabilities in DConnect Daemon 0.7.0 (CVS 30 Jul 2006)


#######################################################################

                             Luigi Auriemma

Application:  DConnect Daemon
              http://www.dc.ds.pg.gda.pl
Versions:     <= 0.7.0 and CVS <= 30 Jul 2006
Platforms:    Windows, *nix, *BSD and others
Bugs:         A] listen_thread_udp buffer-overflow
              B] dc_chat NULL pointer
              C] various format string bugs (privileges needed)
Exploitation: remote
Date:         06 Aug 2006
Author:       Luigi Auriemma
              e-mail: aluigi@...istici.org
              web:    aluigi.org


#######################################################################


1) Introduction
2) Bugs
3) The Code
4) Fix


#######################################################################

===============
1) Introduction
===============


DConnect Daemon is an open source P2P server for the Direct Connect
protocol.


#######################################################################

=======
2) Bugs
=======

------------------------------------
A] listen_thread_udp buffer-overflow
------------------------------------

The main function which handles the UDP packets is affected by a
buffer-overflow vulnerability which happens when a nickname longer than
32 (NICK_LEN) chars is received.
The UDP port is disabled by default, the min_slots parameter in
dcd.conf must be enabled for using this service.

>From main.c:

void listen_thread_udp(void *args)
    ...
    char *ip=NULL, bufor[10001], *cmd=NULL, *nick=NULL, *s_slots=NULL, *__strtok_temp__=NULL, nick_prev[NICK_LEN], *filename;
    ...
        if (!i)nick_prev[0]=0;		
        else strcpy(nick_prev,nick);
    ...


-----------------------
B] dc_chat NULL pointer
-----------------------

The dc_chat function used for handling the messages received from the
clients leads to a crash caused by usr->nick which points to NULL if
the client has not sent its nickname yet (so it's enough to send a
message as first command for exploiting this bug).

>From cmd.dc.c:

void dc_chat(dc_param_t *param)
{
    userrec_t *usr = param->usr;
    ...
    if (strcmp(cmd,usr->nick))
    ...


-------------------------------------------------
C] various format string bugs (privileges needed)
-------------------------------------------------

privmsg and pubmsg are two functions used to send messages to one or
more users.
Both the functions require a format argument (like printf) which is
missed in some parts of the code.
These format string vulnerabilities can be exploited only if the
attacker has superior user or administrator privileges.

>From cmd.user.c:

void chat_msg(chat_param_t *param)
    ...
    if (user[n]!=usr) pubmsg(user[n],msg);
    ...

void chat_msg_all(chat_param_t *param)
    ...
    pubmsg(NULL,par);
    ...

void chat_msg_prv(chat_param_t *param)
    ...
    if (user[n]!=usr) privmsg(user[n],NULL,msg);
    ...

void chat_msg_prv_all(chat_param_t *param)
    ...
    privmsg(NULL,NULL,msg);
    ...

>From penalties.c:

void penalprvmsg(userrec_t *to, char *op, char *fmt, ...)
    ...
    privmsg(to,op,str);
    ...

>From cmd.dc.c:

void dc_OpForceMove(dc_param_t *param)
    ...
    privmsg(usr,NULL,msg);
    ...


#######################################################################

===========
3) The Code
===========


http://aluigi.org/poc/dconnx.zip


#######################################################################

======
4) Fix
======


CVS 31 Jul 2006:

  cvs -d:pserver:anonymous@....ds.pg.gda.pl:/home/cvsroot get dc-hub


#######################################################################


--- 
Luigi Auriemma
http://aluigi.org
http://mirror.aluigi.org

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ