NapShare version 1.2 is susceptible to a buffer overflow in the auto_filter_extern() function.
9f6268214b9c62aab2bae9c43665803556fe9133330989fdc005d563fb473609
From djb@cr.yp.to Wed Dec 15 14:22:12 2004
Date: 15 Dec 2004 08:24:39 -0000
From: D. J. Bernstein <djb@cr.yp.to>
To: securesoftware@list.cr.yp.to, napshare-developer@lists.sourceforge.net
Subject: [remote] [control] NapShare 1.2 auto_filter_extern overflows
filename buffer
Bartlomiej Sieka, a student in my Fall 2004 UNIX Security Holes course,
has discovered a remotely exploitable security hole in NapShare, at
least version 1.2 (the current version in FreeBSD ports). I'm publishing
this notice, but all the discovery credits should be assigned to Sieka.
You are at risk if you you use NapShare with an ``extern'' filter.
Anyone who provides a gnutella response to NapShare (not necessarily the
legitimate server administrator; an attacker can modify responses
passing through the network) then has complete control over your
account: he can read and modify your files, watch the programs you're
running, etc.
The attached files 40-1.c and 40-2.c are two different proof-of-concept
servers that will convince NapShare under FreeBSD 5 to create
unauthorized files in the current directory.
Here's the bug: In auto.c, auto_filter_extern() uses strcpy() to copy
any amount of data into a 5200-byte filename[] array.
---D. J. Bernstein, Associate Professor, Department of Mathematics,
Statistics, and Computer Science, University of Illinois at Chicago
[ Part 2, Text/PLAIN 677 lines. ]
[ Unable to print this part. ]
[ Part 3, Text/PLAIN 659 lines. ]
[ Unable to print this part. ]