lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20040625173931.32648.qmail@web52703.mail.yahoo.com>
From: khan_shirani at yahoo.com (Khan Shirani)
Subject: Multiple remote & local buffer overflows discovered in Drcatd

Zone-h Security Advisory 
Date of discovery : 24 june 2004
Date of release : 25 june 2004 
Bug found by Khan Shirani 
<shirani@...e-h.org> 
http://www.zone-h.org 

---------------------------------------
Software : Drcatd
Bugs : Buffer Overflows , Remote and local (multiple)
Risk : low
Platform : *nix
--------------------------------------- 

Description:
======== 
Dr.Cat (Dave's Remote Cat) concatenates a file on a remote Linux host that is running the 
Dr.Cat daemon (drcatd) to stdout in the clients terminal. It authenticates users versus 
the standard shadow password authentication facility and spawns a process with that users
permissions to attempt to access the requested file 
http://www.joltedweb.com/drcat/ 

Vulnerability:
========= 
Muliple local buffer overflows have been discovered . In addition to this , remote exploitation
is also possible due to a lack of boundry checking of input once a user has been authenticated.
The vulnerability exists when the remote user sends an overly long filename that doesnt exist.
This is handled by an sprintf() call which is where the overflow will occur 
vulnerable code:
=========== 
----------------------
drcat-0.5.0-beta\src\drcatd.c
sprintf(fdne_msg, "%s - File Does Not Exist", buf);
logIt(fdne_msg);
sprintf(fd_msg, "%s - File Does Not Exist\n", buf);
len = sizeof(fd_msg);
local_send(new_fd, fd_msg, len); 
exit(1); 
---------------------- 
NOTE: Due to the exit(1) from the above snippet, exploitation of this vulnerability is not possible within x86 arche's.


Vendor Notice:
========== 
The vendor has been notified via <dave@...tedweb.com> 
Copyright
======= 

Contents may not be altered without notification to original author
permission is granted to reproduce this advisory on public databases. 
shirani@...e-h.org 
and all the zone-h staff.
http://www.zone-h.org



__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20040625/b9a1cdbe/attachment.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ