-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
 File: LynX-adv4_SignatureDB.txt
 Date: 15/02/2004
 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 

 o NAME: problems with database files in 'SignatureDB'

 o CLASS: denial of service (DOS)

 o PROGRAMM: SignatureDB [http://pldaniels.com/signaturedb/]
  - Affected versions: 0.1.1
  - Immune versions: -

 o OS: Linux and UNIX clones

 o VENDOR: Paul L Daniels <pldaniels@pldaniels.com>

 o DESCRIPTION:
   'SignatureDB' is actually two components, a signature database which is
  available on the internet, and a 'signatureID' program, which scans your files.
  You can in effect consider 'SDB/ID' in the same way you consider and use an
  'AntiVirus' program, but 'SDB/ID' are aimed at a slightly different sector of
  the industry. Its purpose is to provide signatures/fingerprints of common,
  annoying emails/files, not specifically viruses.
   
 o VULNERABILITY DESCRIPTION:
   'SignatureDB' package contain 'sdbscan' program, which scans files, in 
  according with specified database file. It is possible to create a big 'key'
  parameter in this file, that will reduce to 'Segmentation fault'. Function which
  work with contents of database files, are located in 'ringsearch.c' file. 
   After '#' - going my comments.
   
   Cut from file: 'ringsearch.h'
   ...
   33 struct _infonode {
   34  char key[20];
   35  char *comment;
   36  int major;
   37  int minor;
   38  int flags;
   39 };
   ...

   Cut from file: 'ringsearch.c'
   ...
   537 int RS_load_keys( struct _snode *parent, char *fname ){
                        /* # where 'fname' - database filename */
   ...
   541  char line[10240]; /* # allocating memory for 10240 bytes, and then use */
                          /* # only 1024, maybe author was mistaken and last 0 */
                          /* # is unnecessary :) */
   ...
   562   while (fgets(line, 1023, f)){
   ...
   582    sprintf(info->key,"%s",key); /* # size of 'key' are not checking, its */
                                       /* # can be =< 1018 bytes, and size of */
                                       /* # 'info->key' is equal 20 bytes, so */
                                       /* # 'info->key' can be overflowed */
   ...

   Its only first version of 'SignatureDB', so i think that in the next versions
  this problem will be fixed.
   P.S. Sorry, for my poor english :).

 o VULNERABILITY PREVENTION:
   Instead of using 'sprintf' function, will be more correct to use function
  'snprintf'.

 o EXPLOITING:
   It is possible to specify configuration file for 'sdbscan' program, in this
  file you may type path to your own database file, which contents can cause
  buffer overflow and then 'Segmentation fault'.
   
   Example of exploiting :
   
   [LynX@ /tmp]$ cat my.conf
   dbfile=/tmp/fake.db
   verbose=1
   fastscan=0
   fastexit=0
   [LynX@ /tmp]$ cat fake.db
   AAA ... '1000 x A' ... AAA:1:1:1:1:A:A
   [LynX@ /tmp]$ sdbscan --conf_file=my.conf
   Segmentation fault (core dumped) 
   [LynX@ /tmp]$
 
 o VENDOR RESPONSE:
   I sent notification mail to the Paul Daniels <pldaniels@pldaniels.com> and
  did not received an answer.

 o CREDITS:
  - Thanks: nob0dy, netc0de, Xarth
  - Greets: R00T T34M [http://rootteam.void.ru],
            void,
            LimpidByte,
 
 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
                                                                Discovered by LynX
                                                                     <_LynX@bk.ru>
                                               / close your eyes & dream with me /
 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.4 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iEYEARECAAYFAkAv8HMACgkQjvZ3gq5fCnGA8gCgnqItklxup0YzArOkT6nn+kNI
5BgAoOf+SFgV1vXH73RcdzIWXbdXa8NK
=iIIl
-----END PGP SIGNATURE-----