SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Generic)  >   mnoGoSearch Vendors:   Lavtech.Com Corp.
mnoGoSearch Buffer Overflow in Processing Large Documents Lets Remote Users Execute Arbitrary Code
SecurityTracker Alert ID:  1009068
SecurityTracker URL:  http://securitytracker.com/id/1009068
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Feb 15 2004
Impact:   Execution of arbitrary code via local system, Execution of arbitrary code via network, User access via local system, User access via network

Version(s): Verified on 3.2.15, 3.2.14, and 3.2.13
Description:   A buffer overflow vulnerability was reported in mnoGoSearch. A user with the ability to place documents on the system can execute arbitrary code on the target system.

Frank Denis reported that when the search engine returns a large document that has been indexed, a buffer overflow can be triggered.

The flaw reportedly resides in the UdmDocToTextBuf() function in 'doc.c', where a fixed length buffer ('len') can be overflowed.

The vendor was reportedly notified on January 8, 2004.

Impact:   A user with the ability to place documents on the system that will be indexed by the search engine can execute arbitrary code on the target system.
Solution:   No vendor solution was available at the time of this entry.

The author indicates that as a workaround, you can set max size of every section in 'indexer.conf' to a value that is less than 10 kilobytes:

Section body 1 8192
Section title 2 128
Section meta.keywords 3 128
Section meta.description 4 128
...

Vendor URL:  www.mnogosearch.org/ (Links to External Site)
Cause:   Boundary error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  [Full-Disclosure] Buffer overflow in mnoGoSearch



Product : mnoGoSearch
Date    : 02/15/2004
Author  : Frank Denis <j@pureftpd.org>


   ------------------------[ Product description ]------------------------

  From the web site :
  
  mnoGoSearch (formerly known as UdmSearch) is a full-featured web search
engine software for intranet and internet servers.

  mnoGoSearch for UNIX is a free software covered by the GNU General Public
License and mnoGoSearch for Windows is a commercial search software version.

  Home page : http://www.mnogosearch.ru/


      ------------------------[ Vulnerability ]------------------------

  Every document is stored in multiple parts according to its sections
(description, body, etc) in databases. And when the content has to be sent
to the client, UdmDocToTextBuf() concatenates those parts together and skips
metadata.

  Unfortunately, that function lacks bounds checking and a buffer overflow
can be triggered by indexing a large enough document.
  

	 ------------------------[ Details ]------------------------

  From src/doc.c of the latest release (3.2.15) :              
               
int UdmDocToTextBuf(UDM_DOCUMENT * Doc,char *textbuf,size_t len){
    size_t  i;
    char    *end;
    
    textbuf[0]='\0';    
    udm_snprintf(textbuf, len, "<DOC");
    
    end=textbuf+strlen(textbuf);    
    for(i=0;i<Doc->Sections.nvars;i++){
        ...                                             
        sprintf(end,"\t%s=\"%s\"",S->name,S->val);
        end=end+strlen(end);
    }
    strcpy(end,">");
    return UDM_OK;
}
                                                        
  'len' is fixed to 10K in searchd.c . S->val length depends on the length of
the original document and on the indexer settings (the sample configuration
file has low limits that work around the bug, though).

  Exploitation should be easy, moreover textbuf points to the stack.    


    ------------------------[ Affected versions ]------------------------

  mnoGoSearch 3.2.15, 3.2.14 and 3.2.13 have been verified to be vulnerable,
previous versions may also be affected.

  
       ------------------------[ Workarounds ]------------------------

  The max size of every section is configurable un the document sections of
the indexer.conf :

Section body                    1       8192
Section title                   2       128
Section meta.keywords           3       128
Section meta.description        4       128
...

  Make sure that the last value of each section is below 10 kilobytes.
  
  If you need to use a larger value (which can be handy for the body section
to get accurate extracts without using stored), the size of the buffer is
defined in src/searchd.c, in do_client(), around line 216. Change the
textbuf[] size to something that matches the maximum size of your sections.


      ------------------------[ Vendor status ]------------------------

  Vendor was notified on Jan 8 with mails to devel@mnogosearch.org.
  Other vulnerabilities were reported as well.
  No answer was ever received and no fixed version seems to be available yet.


-- 
 __  /*-    Frank DENIS (Jedi/Sector One) <j at 42-Networks.Com>    -*\  __
 \ '/    <a href="http://www.PureFTPd.Org/"> Secure FTP Server </a>    \' /
  \/  <a href="http://www.Jedi.Claranet.Fr/"> Misc. free software </a>  \/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC