SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |    Help    |   

SecurityTracker
Archives


Welcome to SecurityTracker!
 
Click to Sign Up
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com
Sign Up!





Category:  Application (News)  >  newspost Vendors:  Faulkner, Jim
Newspost Buffer Overflow in socket_getline() Lets Remote Users Crash the Process
SecurityTracker Alert ID:  1013056
SecurityTracker URL:  http://securitytracker.com/id?1013056
CVE Reference:  CAN-2005-0101   (Links to External Site)
Date:  Feb 2 2005
Impact:  Denial of service via network, Execution of arbitrary code via network
Version(s): 2.1.1
Description:  A vulnerability was reported in newspost. A remote user can cause newspost to crash or potentially execute arbitrary code.

Niels Heinen reported that a remote server can trigger a buffer overflow in the socket_getline() function. A remote server can supply a specially crafted response to cause the connecting newspost process to crash. It may be possible to execute arbitrary code, but code execution was not confirmed in the report.

The flaw resides in 'base/socket.c'.
Impact:  A remote NNTP server can cause the connecting newspost process to crash.
Solution:  No vendor solution was available at the time of this entry.

An unofficial patch is available at:

http://people.freebsd.org/~niels/issues/newspost-20050114.txt
Vendor URL:  newspost.unixcab.org/ (Links to External Site)
Cause:  Boundary error
Underlying OS:  Linux (Any), UNIX (Any)

Message History:   None.

 Source Message Contents
Date:  Tue, 1 Feb 2005 19:48:47 -0500
Subject:  http://people.freebsd.org/~niels/issues/newspost-20050114.txt

 
 
 
Bug description:
----------------
 
An overflow exists in the socket_getline() function. This function
reads a string from the socket into a given array and is used by
the nntp_get_response function.
 
The problem code is:
 
        while (TRUE) {
                retval = read(sockfd, pi, 1);
                if(retval < 0)
                        ui_socket_error(errno);
                read_count += retval;
                pi++;
                if (buffer[i] == '\n')
                        break;
                i++;
        }
 
The pi array is the buffer and data is read into it until a '\n'
is received.  So to overflow the buffer one has to provide a long
string without newline characters.
 
Testing the overflow:
---------------------
 
Create a server:
perl -e 'print "A" x 1024;print "BBBBCCCCDDDDEEEE"'|  nc -v -l -p 119
 
Connect to it:
newspost  -s test -i localhost -f me@me.nl -n news.news  /etc/hosts
 
Break the connection by ^C'ing the netcat and you will see that
newspost segfaults immediately.
 
Fix for the problem:
--------------------
 
A rather simple fix would be to apply the patch below. It does the
job because all buffers handed to the socket_getline function are
STRING_BUFSIZE big.
 
--- base/socket.c.orig  Tue Jan 18 11:08:02 2005
+++ base/socket.c       Tue Jan 18 11:10:08 2005
@@ -126,7 +126,7 @@
 
        i = 0;
        pi = buffer;
-       while (TRUE) {
+       while (read_count < STRING_BUFSIZE - 1) {
                retval = read(sockfd, pi, 1);
                if(retval < 0)
                        ui_socket_error(errno);


Go to the Top of This SecurityTracker Archive Page



Home   |    View Topics   |    Search   |    Contact Us   |    Help

Copyright 2005, SecurityGlobal.net LLC