-       0x333 OUTSIDERS SECURITY LABS       -
            -              www.0x333.org              -
title:University of Minnesota Gopherd do_comand Buffer Overflow Vulnerability



~~~ contents ~~~

0x0 Description
0x1 Code sucks
0x2 Exploit
0x3 Info


0x0 Description

nic found University of Minnesota Gopherd do_command() Buffer Overflow Vulnerability.
that  may be exploited remotely to execute arbitrary code.
it vulnerable versions: <= v3.0.5,

0x1 Code sucks

in  Gopherd.c /do_command() we found :

...
 CMDfromNet(cmd, sockfd);


...


  			 if (authpw == NULL || authuser == NULL)
			      Die(sockfd, 411, "Missing Username or password");
		    } /* End else */
	       } else {
		    authuser = CMDgetAskline(cmd, 0);...................ponit
		    authpw   = CMDgetAskline(cmd, 1);
	       }

...
     	       case AUTHRES_OK:

		    Gticket = (char*) malloc(sizeof(char*) *
					     (strlen(authuser) +
					      strlen(authpw)+5));
		    strcpy(cleartext, authuser);          ...............ponit
		    strcat(cleartext, " ");
		    strcat(cleartext, authpw);    

....

command.h/      #define CMDgetAskline(a,b)  (STAgetText((a)->asklines,b))

....

Gopherd.c/main: (sockfd from cilent) 
1129:               newsockfd = accept(sockfd, (struct sockaddr *) &cli_addr,
                    
              
                    else if (childpid == 0) {	/* Child process */
		    close(sockfd);		/* close original socket */
		    
1160:		    (void)do_command(newsockfd);/* process the request */..........
		    gopherd_exit(0);  




So, there is an unchecked strcpy() , clear:  char cleartext[64],so possible longautheruser
can overflow it.



0x3 Exploit

codes are too disorderly , i am studying from vade79 to exploit it.


0x4 Info

- 0x333 OutSiders Security Labs 2003 -
finder : nic 
web    : http://www.0x333.org
mail   : nic0x333@hotmail.com