Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Vuln-Dev
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[Full-Disclosure] Buffer Overflow in Open Dc Hub 0.7.14

from [Donato Ferrante] Network Security [Permanent Link]
Subject: [Full-Disclosure] Buffer Overflow in Open Dc Hub 0.7.14
Date: Wed, 24 Nov 2004 15:54:28 -0000 

                           Donato Ferrante


Application:  Open Dc Hub
              http://opendchub.sourceforge.net/

Version:      0.7.14

Bug:          Buffer Overflow

Date:         24-Nov-2004

Author:       Donato Ferrante
              e-mail: fdonato@autistici.org
              web:    www.autistici.org/fdonato



xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

1. Description
2. The bug
3. The code
4. The fix



xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

----------------
1. Description:
----------------

Vendor's Description:

"An Open Source Linux/Unix version of the hub software for Direct
Connect."



xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

------------
2. The bug:
------------

The program doesn't correctly manage the $RedirectAll command.
In fact it will have a buffer overflow, letting an attacker to execute
arbitrary code on the victim system.

NOTE: To exploit the bug the attacker needs to have admin privilege on
the victim hub.



xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

-------------
3. The code:
-------------

To test the vulnerability:

http://www.autistici.org/fdonato/poc/OpenDcHub[0714]BOF-poc.zip



xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

------------
4. The fix:
------------

No fix.
The vendor has not not replied to my mails.

In the meantime give admin access only to trusted people.
If you want you can use my following little patch that should fix this
bug:


/* patch */


--- commands.c  2004-11-21 13:01:48.000000000 +0100
+++ patch.c     2004-11-21 13:05:33.000000000 +0100
@@ -2842,7 +2842,7 @@
 {
    char move_string[MAX_HOST_LEN+20];

-   sprintf(move_string, "$ForceMove %s", buf);
+   snprintf(move_string, MAX_HOST_LEN, "$ForceMove %s", buf);

    send_to_humans(move_string, REGULAR | REGISTERED | OP, user);
    remove_all(UNKEYED | NON_LOGGED | REGULAR | REGISTERED | OP, 1, 1);


/* end patch */



xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [Full-Disclosure] Buffer Overflow in Open Dc Hub 0.7.14, Donato Ferrante <=
Previous by Date:  Re: [SIG^2 G-TEC] Prevx Home v1.0 Instrusion Prevention Features Can Be Disabled by Direct Service Table Restoration, dullien
Next by Date:  Re: Changes to the filesystem while find is running - comments?, Martin Buchholz
Previous by Thread:  [CLA-2004:896] Conectiva Security Announcement - bugzilla, Conectiva Updates
Next by Thread:  Limited buffer-overflow and arbitrary memory access in Star Wars Battlefront 1.11, Luigi Auriemma
Indexes:  [Date] [Thread] [Top] [All Lists]