DC Open Hub Buffer Overflow in RedirectAll Lets Remote Authenticated Administrators Execute Arbitrary Code
|
|
SecurityTracker Alert ID: 1012323
|
|
SecurityTracker URL: http://securitytracker.com/id?1012323
|
|
CVE Reference: GENERIC-MAP-NOMATCH
(Links to External Site)
|
Date: Nov 24 2004
|
Impact: Execution of arbitrary code via network, User access via network
|
Version(s): 0.7.14
|
Description: Donato Ferrante reported a buffer overflow vulnerability in DC Open Hub. A remote authenticated administrator can execute arbitrary code on the target system.
It is reported that a remote authenticated administrator can set a specially crafted RedirectAll value to trigger the buffer overflow
and execute arbitrary code.
A demonstration exploit is available at:
http://www.autistici.org/fdonato/poc/OpenDcHub[0714]BOF-poc.zip
The
vendor has been notified without response.
|
Impact: A remote authenticated administrator can execute arbitrary code on the target system.
|
Solution: No solution was available at the time of this entry.
|
Vendor URL: opendchub.sourceforge.net/ (Links to External Site)
|
Cause: Boundary error
|
Underlying OS: Linux (Any), UNIX (Any), Windows (Any)
|
Reported By: "Donato Ferrante" <fdonato@autistici.org>
|
Message History:
This archive entry has one or more follow-up message(s) listed below.
|
Source Message Contents
|
Date: Wed, 24 Nov 2004 15:54:28 -0000
From: "Donato Ferrante" <fdonato@autistici.org>
Subject: Buffer Overflow in Open Dc Hub 0.7.14
|
Donato Ferrante
Application: Open Dc Hub
http://opendchub.sourceforge.net/
Version: 0.7.14
Bug: Buffer Overflow
Date: 24-Nov-2004
Author: Donato Ferrante
e-mail: fdonato@autistici.org
web: www.autistici.org/fdonato
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
1. Description
2. The bug
3. The code
4. The fix
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
----------------
1. Description:
----------------
Vendor's Description:
"An Open Source Linux/Unix version of the hub software for Direct
Connect."
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
------------
2. The bug:
------------
The program doesn't correctly manage the $RedirectAll command.
In fact it will have a buffer overflow, letting an attacker to execute
arbitrary code on the victim system.
NOTE: To exploit the bug the attacker needs to have admin privilege on
the victim hub.
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
-------------
3. The code:
-------------
To test the vulnerability:
http://www.autistici.org/fdonato/poc/OpenDcHub[0714]BOF-poc.zip
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
------------
4. The fix:
------------
No fix.
The vendor has not not replied to my mails.
In the meantime give admin access only to trusted people.
If you want you can use my following little patch that should fix this
bug:
/* patch */
--- commands.c 2004-11-21 13:01:48.000000000 +0100
+++ patch.c 2004-11-21 13:05:33.000000000 +0100
@@ -2842,7 +2842,7 @@
{
char move_string[MAX_HOST_LEN+20];
- sprintf(move_string, "$ForceMove %s", buf);
+ snprintf(move_string, MAX_HOST_LEN, "$ForceMove %s", buf);
send_to_humans(move_string, REGULAR | REGISTERED | OP, user);
remove_all(UNKEYED | NON_LOGGED | REGULAR | REGISTERED | OP, 1, 1);
/* end patch */
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
|
|
