SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com






Category:   Application (Generic)  >   Open DC Hub Vendors:   opendchub.sourceforge.net
DC Open Hub Buffer Overflow in RedirectAll Lets Remote Authenticated Administrators Execute Arbitrary Code
SecurityTracker Alert ID:  1012323
SecurityTracker URL:  http://securitytracker.com/id/1012323
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Nov 24 2004
Impact:   Execution of arbitrary code via network, User access via network

Version(s): 0.7.14
Description:   Donato Ferrante reported a buffer overflow vulnerability in DC Open Hub. A remote authenticated administrator can execute arbitrary code on the target system.

It is reported that a remote authenticated administrator can set a specially crafted RedirectAll value to trigger the buffer overflow and execute arbitrary code.

A demonstration exploit is available at:

http://www.autistici.org/fdonato/poc/OpenDcHub[0714]BOF-poc.zip

The vendor has been notified without response.

Impact:   A remote authenticated administrator can execute arbitrary code on the target system.
Solution:   No solution was available at the time of this entry.
Vendor URL:  opendchub.sourceforge.net/ (Links to External Site)
Cause:   Boundary error
Underlying OS:   Linux (Any), UNIX (Any), Windows (Any)

Message History:   This archive entry has one or more follow-up message(s) listed below.
Nov 29 2004 (Gentoo Issues Fix) DC Open Hub Buffer Overflow in RedirectAll Lets Remote Authenticated Administrators Execute Arbitrary Code   (Luke Macken <lewk@gentoo.org>)
Gentoo has released a fix.



 Source Message Contents

Date:  Wed, 24 Nov 2004 15:54:28 -0000
Subject:  Buffer Overflow in Open Dc Hub 0.7.14



                           Donato Ferrante


Application:  Open Dc Hub
              http://opendchub.sourceforge.net/

Version:      0.7.14

Bug:          Buffer Overflow

Date:         24-Nov-2004

Author:       Donato Ferrante
              e-mail: fdonato@autistici.org
              web:    www.autistici.org/fdonato



xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

1. Description
2. The bug
3. The code
4. The fix



xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

----------------
1. Description:
----------------

Vendor's Description:

"An Open Source Linux/Unix version of the hub software for Direct
Connect."



xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

------------
2. The bug:
------------

The program doesn't correctly manage the $RedirectAll command.
In fact it will have a buffer overflow, letting an attacker to execute
arbitrary code on the victim system.

NOTE: To exploit the bug the attacker needs to have admin privilege on
the victim hub.



xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

-------------
3. The code:
-------------

To test the vulnerability:

http://www.autistici.org/fdonato/poc/OpenDcHub[0714]BOF-poc.zip



xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

------------
4. The fix:
------------

No fix.
The vendor has not not replied to my mails.

In the meantime give admin access only to trusted people.
If you want you can use my following little patch that should fix this
bug:


/* patch */


--- commands.c  2004-11-21 13:01:48.000000000 +0100
+++ patch.c     2004-11-21 13:05:33.000000000 +0100
@@ -2842,7 +2842,7 @@
 {
    char move_string[MAX_HOST_LEN+20];

-   sprintf(move_string, "$ForceMove %s", buf);
+   snprintf(move_string, MAX_HOST_LEN, "$ForceMove %s", buf);

    send_to_humans(move_string, REGULAR | REGISTERED | OP, user);
    remove_all(UNKEYED | NON_LOGGED | REGULAR | REGISTERED | OP, 1, 1);


/* end patch */



xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

Copyright 2014, SecurityGlobal.net LLC