lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Wed, 5 Mar 2008 21:59:59 +0100
From: Luigi Auriemma <aluigi@...istici.org>
To: bugtraq@...urityfocus.com, news@...uriteam.com,
	full-disclosure@...ts.grok.org.uk, vuln@...unia.com,
	packet@...ketstormsecurity.org
Subject: Multiple vulnerabilities in Perforce Server 2007.3/143793


#######################################################################

                             Luigi Auriemma

Application:  Perforce Server
              http://www.perforce.com
Versions:     <= 2007.3/143793
Platforms:    Windows, Unix, Linux and Mac
Bugs:         NULL pointers, invalid memory access and endless loop
Exploitation: remote
Date:         05 Mar 2008
Author:       Luigi Auriemma
              e-mail: aluigi@...istici.org
              web:    aluigi.org


#######################################################################


1) Introduction
2) Bugs
3) The Code
4) Fix


#######################################################################

===============
1) Introduction
===============


>From vendor's website:
"Perforce SCM (Software Configuration Management) versions and manages
source code and digital assets for enterprises large and small."


#######################################################################

=======
2) Bugs
=======


The Perforce server is affected by multiple vulnerabilities which
allow any unauthenticated attacker to crash the server or consuming all
its resources.

The first type of vulnerabilities includes the NULL pointers generated
by the absence of some parameters in the client's request and the lack
of checks on the pointers returned by the functions which get these
values from the packets.

The commands affected by these NULL pointer vulnerabilities are the
following: dm-FaultFile, dm-LazyCheck, dm-ResolvedFile, dm-OpenFile,
crypto and possibly others.

A secondary type of vulnerabilities is exploitable through the
server-DiffFile and server-ReleaseFile commands, in this case the
problem is caused by the 32 bit number provided by the client which is
used as amount of elements in the initialization of an array.

Another problem is then exploitable again with a malformed
server-DiffFile command and allows to force the server in an endless
loop which will cause its termination after having consumed all the
memory and the resources of the system.


#######################################################################

===========
3) The Code
===========


http://aluigi.org/poc/perforces.zip


#######################################################################

======
4) Fix
======


No fix


#######################################################################


--- 
Luigi Auriemma
http://aluigi.org

Powered by blists - more mailing lists