Donato Ferrante Application: Open Dc Hub http://opendchub.sourceforge.net/ Version: 0.7.14 Bug: Buffer Overflow Date: 24-Nov-2004 Author: Donato Ferrante e-mail: fdonato@autistici.org web: www.autistici.org/fdonato xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx 1. Description 2. The bug 3. The code 4. The fix xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx ---------------- 1. Description: ---------------- Vendor's Description: "An Open Source Linux/Unix version of the hub software for Direct Connect." xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx ------------ 2. The bug: ------------ The program doesn't correctly manage the $RedirectAll command. In fact it will have a buffer overflow, letting an attacker to execute arbitrary code on the victim system. NOTE: To exploit the bug the attacker needs to have admin privilege on the victim hub. xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx ------------- 3. The code: ------------- To test the vulnerability: http://www.autistici.org/fdonato/poc/OpenDcHub[0714]BOF-poc.zip xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx ------------ 4. The fix: ------------ No fix. The vendor has not not replied to my mails. In the meantime give admin access only to trusted people. If you want you can use my following little patch that should fix this bug: /* patch */ --- commands.c 2004-11-21 13:01:48.000000000 +0100 +++ patch.c 2004-11-21 13:05:33.000000000 +0100 @@ -2842,7 +2842,7 @@ { char move_string[MAX_HOST_LEN+20]; - sprintf(move_string, "$ForceMove %s", buf); + snprintf(move_string, MAX_HOST_LEN, "$ForceMove %s", buf); send_to_humans(move_string, REGULAR | REGISTERED | OP, user); remove_all(UNKEYED | NON_LOGGED | REGULAR | REGISTERED | OP, 1, 1); /* end patch */ xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx