A buffer overflow exists in the Open Dc Hub program that allows for arbitrary code execution. Version 0.7.14 is affected.
5d7728d7a1361bced3f0c6e6bc6738ad15502e921eb3164f0124e62d24c94b98
Donato Ferrante
Application: Open Dc Hub
http://opendchub.sourceforge.net/
Version: 0.7.14
Bug: Buffer Overflow
Date: 24-Nov-2004
Author: Donato Ferrante
e-mail: fdonato@autistici.org
web: www.autistici.org/fdonato
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
1. Description
2. The bug
3. The code
4. The fix
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
----------------
1. Description:
----------------
Vendor's Description:
"An Open Source Linux/Unix version of the hub software for Direct
Connect."
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
------------
2. The bug:
------------
The program doesn't correctly manage the $RedirectAll command.
In fact it will have a buffer overflow, letting an attacker to execute
arbitrary code on the victim system.
NOTE: To exploit the bug the attacker needs to have admin privilege on
the victim hub.
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
-------------
3. The code:
-------------
To test the vulnerability:
http://www.autistici.org/fdonato/poc/OpenDcHub[0714]BOF-poc.zip
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
------------
4. The fix:
------------
No fix.
The vendor has not not replied to my mails.
In the meantime give admin access only to trusted people.
If you want you can use my following little patch that should fix this
bug:
/* patch */
--- commands.c 2004-11-21 13:01:48.000000000 +0100
+++ patch.c 2004-11-21 13:05:33.000000000 +0100
@@ -2842,7 +2842,7 @@
{
char move_string[MAX_HOST_LEN+20];
- sprintf(move_string, "$ForceMove %s", buf);
+ snprintf(move_string, MAX_HOST_LEN, "$ForceMove %s", buf);
send_to_humans(move_string, REGULAR | REGISTERED | OP, user);
remove_all(UNKEYED | NON_LOGGED | REGULAR | REGISTERED | OP, 1, 1);
/* end patch */
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx