ZRCSA-200503.txt

ZRCSA-200503.txt: Posted Nov 30, 2005; Authored by Siegfried, deepfear; ktools versions 0.3 and below suffer from a buffer overflow vulnerability.; tags | advisory, overflow; SHA-256 | 918ef9d4641780120c240699cc4f252ce1d302824630f5a0f13b19568aefca5d; Download | Favorite | View

ZRCSA-200503.txt

ZRCSA-200503 - ktools Buffer Overflow Vulnerability

Zone-H Research Center Security Advisory 200503
http://www.zone-h.fr

Date of release: 27/11/2005
Software: ktools (http://konst.org.ua/ktools)
Affected versions: <= 0.3
Risk: Medium
Discovered by: Mehdi Oudad "deepfear" and Kevin Fernandez "Siegfried" from the Zone-H Research Team

Background (from http://konst.org.ua/ktools)
----------
ktools is a library which I wrote for my own programming needs, though its main purpose is to provide various text-mode user interface controls without a need to write too much code.

Details
--------
There is a buffer overflow in kkstrtext.h : 

#define VGETSTRING(c, fmt) \
    { \
  va_list vgs__ap; char vgs__buf[1024]; \
  va_start(vgs__ap, fmt); \
  vsprintf(vgs__buf, fmt, vgs__ap); c = vgs__buf; \
  va_end(vgs__ap); \
    }

This library is used in the following softwares:
centericq
orpheus
motor
groan

(see http://konst.org.ua/en/konstware)

It can be exploited for example in centericq when editing a contact's details with a detail field longer than 1024 chars (a <description> field of a rss feed for example).

Details:

- centericq.cc :

 case ACT_EDITUSER:
    c->save();
    /***************** here************/
    if(face.updatedetails(c, c->getdesc().pname)) {
        if(c->getdesc().pname == infocard)
      c->setdispnick(c->getnick());

...
...

- icqdialogs.cc :

bool icqface::updatedetails(icqcontact *c, protocolname upname) {

...
...
  while(!finished) {;
  gendetails(db.gettree(), c);
...
...


gendetails()
..
if((capab.count(hookcapab::flexiblereg) && ri.params.empty()) || !capab.count(hookcapab::flexiblereg)) {
  i = tree->addnode(_(" About "));
  
  tree->addleaff(i, 0, 39, " %s ", about.c_str());



- treeview.cc :

int treeview::addleaff(int parent, int color, int ref, const char *fmt, ...) {
    string buf;
    VGETSTRING(buf, fmt);
    return addleaf(parent, color, (void *) ref, buf);
}



- kkstrtext.h :

#define VGETSTRING(c, fmt) \
    { \
  va_list vgs__ap; char vgs__buf[1024]; \
  va_start(vgs__ap, fmt); \
  vsprintf(vgs__buf, fmt, vgs__ap); c = vgs__buf; \
  va_end(vgs__ap); \
    }


Solution
---------
None. Vendor contacted on 18/11 and 25/11, no answer.

Original advisories:
English version: http://www.zone-h.org/en/advisories/read/id=8480/
French: http://www.zone-h.fr/fr/advisories/read/id=685

Top Authors In Last 30 Days

Red Hat 232 files
Ubuntu 59 files
Debian 27 files
Valentin Lobstein 11 files
LiquidWorm 11 files
nu11secur1ty 9 files
Apple 6 files
Milad Karimi 5 files
Google Security Research 5 files
Yevhenii Butenko 4 files

File Archives

Systems

AIX (429)
Apple (2,078)
BSD (376)
CentOS (58)
Cisco (1,927)
Debian (7,022)
Fedora (1,693)
FreeBSD (1,246)
Gentoo (4,467)
HPUX (880)
iOS (373)
iPhone (108)
IRIX (220)
Juniper (69)
Linux (49,318)
Mac OS X (691)
Mandriva (3,105)
NetBSD (256)
OpenBSD (488)
RedHat (15,567)
Slackware (941)
Solaris (1,611)
SUSE (1,444)
Ubuntu (9,456)
UNIX (9,394)
UnixWare (187)
Windows (6,650)
Other

ZRCSA-200503.txt

ZRCSA-200503.txt

File Archive:

April 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

ZRCSA-200503.txt

Share This

ZRCSA-200503.txt

File Archive:

April 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems