Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
|
|
|
|
|
|
|
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
|
|
|
|
Become a Partner and License Our Database or Notification Service
|
|
|
|
|
|
|
|
|
|
|
|
|
|
DConnect Daemon Format String and Buffer Overflow Flaws Let Remote Users Deny Service or Execute Arbitrary Code
|
|
SecurityTracker Alert ID: 1016641
|
|
SecurityTracker URL: http://securitytracker.com/id?1016641
|
|
CVE Reference: CVE-2006-4125
, CVE-2006-4126
, CVE-2006-4127
(Links to External Site)
|
Updated: Jun 8 2008
|
Original Entry Date: Aug 7 2006
|
Impact: Denial of service via network, Execution of arbitrary code via network, User access via network
|
Exploit Included: Yes
|
Version(s): 0.7.0 and prior versions
|
Description: Luigi Auriemma reported a vulnerability in DConnect Daemon. A remote user can execute arbitrary code on the target system. A remote user can cause denial of service conditions.
A remote user can send a specially crafted nickname to trigger a buffer overflow in listen_thread_udp() and execute arbitrary code
on the target system. The code will run with the privileges of the target service. If the UDP port is enabled via the min_slots
parameter in the 'dcd.conf' file (not the default configuration), the system may be vulnerable.
A remote user can also send specially
crafted data to cause the dc_chat() function on the target client to reference a null pointer and crash.
A remote authenticated
user with super user or administrator privileges can exploit format string vulnerabilities in the privmsg() and pubmsg() functions
to execute arbitrary code.
Some demonstration exploit code is available at:
http://aluigi.org/poc/dconnx.zip
|
Impact: A remote user can execute arbitrary code on the target system.
A remote user can cause denial of service conditions.
|
Solution: No solution was available at the time of this entry.
|
Vendor URL: www.dc.ds.pg.gda.pl/ (Links to External Site)
|
Cause: Boundary error, Input validation error, State error
|
Underlying OS: Linux (Any), UNIX (Any)
|
Reported By: Luigi Auriemma <aluigi@autistici.org>
|
Message History:
None.
|
Source Message Contents
|
Date: Sun, 6 Aug 2006 21:27:52 +0200
From: Luigi Auriemma <aluigi@autistici.org>
Subject: Multiple vulnerabilities in DConnect Daemon 0.7.0 (CVS 30 Jul 2006)
|
#######################################################################
Luigi Auriemma
Application: DConnect Daemon
http://www.dc.ds.pg.gda.pl
Versions: <= 0.7.0 and CVS <= 30 Jul 2006
Platforms: Windows, *nix, *BSD and others
Bugs: A] listen_thread_udp buffer-overflow
B] dc_chat NULL pointer
C] various format string bugs (privileges needed)
Exploitation: remote
Date: 06 Aug 2006
Author: Luigi Auriemma
e-mail: aluigi@autistici.org
web: aluigi.org
#######################################################################
1) Introduction
2) Bugs
3) The Code
4) Fix
#######################################################################
===============
1) Introduction
===============
DConnect Daemon is an open source P2P server for the Direct Connect
protocol.
#######################################################################
=======
2) Bugs
=======
------------------------------------
A] listen_thread_udp buffer-overflow
------------------------------------
The main function which handles the UDP packets is affected by a
buffer-overflow vulnerability which happens when a nickname longer than
32 (NICK_LEN) chars is received.
The UDP port is disabled by default, the min_slots parameter in
dcd.conf must be enabled for using this service.
>From main.c:
void listen_thread_udp(void *args)
...
char *ip=NULL, bufor[10001], *cmd=NULL, *nick=NULL, *s_slots=NULL, *__strtok_temp__=NULL, nick_pr
ev[NICK_LEN], *filename;
...
if (!i)nick_prev[0]=0;
else strcpy(nick_prev,nick);
...
-----------------------
B] dc_chat NULL pointer
-----------------------
The dc_chat function used for handling the messages received from the
clients leads to a crash caused by usr->nick which points to NULL if
the client has not sent its nickname yet (so it's enough to send a
message as first command for exploiting this bug).
>From cmd.dc.c:
void dc_chat(dc_param_t *param)
{
userrec_t *usr = param->usr;
...
if (strcmp(cmd,usr->nick))
...
-------------------------------------------------
C] various format string bugs (privileges needed)
-------------------------------------------------
privmsg and pubmsg are two functions used to send messages to one or
more users.
Both the functions require a format argument (like printf) which is
missed in some parts of the code.
These format string vulnerabilities can be exploited only if the
attacker has superior user or administrator privileges.
>From cmd.user.c:
void chat_msg(chat_param_t *param)
...
if (user[n]!=usr) pubmsg(user[n],msg);
...
void chat_msg_all(chat_param_t *param)
...
pubmsg(NULL,par);
...
void chat_msg_prv(chat_param_t *param)
...
if (user[n]!=usr) privmsg(user[n],NULL,msg);
...
void chat_msg_prv_all(chat_param_t *param)
...
privmsg(NULL,NULL,msg);
...
>From penalties.c:
void penalprvmsg(userrec_t *to, char *op, char *fmt, ...)
...
privmsg(to,op,str);
...
>From cmd.dc.c:
void dc_OpForceMove(dc_param_t *param)
...
privmsg(usr,NULL,msg);
...
#######################################################################
===========
3) The Code
===========
http://aluigi.org/poc/dconnx.zip
#######################################################################
======
4) Fix
======
CVS 31 Jul 2006:
cvs -d:pserver:anonymous@cvs.ds.pg.gda.pl:/home/cvsroot get dc-hub
#######################################################################
---
Luigi Auriemma
http://aluigi.org
http://mirror.aluigi.org
|
|
Go to the Top of This SecurityTracker Archive Page
|
