|
|
#######################################################################
Luigi Auriemma
Application: DConnect Daemon
http://www.dc.ds.pg.gda.pl
Versions: <= 0.7.0 and CVS <= 30 Jul 2006
Platforms: Windows, *nix, *BSD and others
Bugs: A] listen_thread_udp buffer-overflow
B] dc_chat NULL pointer
C] various format string bugs (privileges needed)
Exploitation: remote
Date: 06 Aug 2006
Author: Luigi Auriemma
e-mail: aluigi@autistici.org
web: aluigi.org
#######################################################################
1) Introduction
2) Bugs
3) The Code
4) Fix
#######################################################################
==============1) Introduction
==============
DConnect Daemon is an open source P2P server for the Direct Connect
protocol.
#######################################################################
======2) Bugs
======
------------------------------------
A] listen_thread_udp buffer-overflow
------------------------------------
The main function which handles the UDP packets is affected by a
buffer-overflow vulnerability which happens when a nickname longer than
32 (NICK_LEN) chars is received.
The UDP port is disabled by default, the min_slots parameter in
dcd.conf must be enabled for using this service.
>From main.c:
void listen_thread_udp(void *args)
...
char *ip=NULL, bufor[10001], *cmd=NULL, *nick=NULL, *s_slots=NULL, *__strtok_temp__=NULL, nick_prev[NICK_LEN], *filename;
...
if (!i)nick_prev[0]=0;
else strcpy(nick_prev,nick);
...
-----------------------
B] dc_chat NULL pointer
-----------------------
The dc_chat function used for handling the messages received from the
clients leads to a crash caused by usr->nick which points to NULL if
the client has not sent its nickname yet (so it's enough to send a
message as first command for exploiting this bug).
>From cmd.dc.c:
void dc_chat(dc_param_t *param)
{
userrec_t *usr = param->usr;
...
if (strcmp(cmd,usr->nick))
...
-------------------------------------------------
C] various format string bugs (privileges needed)
-------------------------------------------------
privmsg and pubmsg are two functions used to send messages to one or
more users.
Both the functions require a format argument (like printf) which is
missed in some parts of the code.
These format string vulnerabilities can be exploited only if the
attacker has superior user or administrator privileges.
>From cmd.user.c:
void chat_msg(chat_param_t *param)
...
if (user[n]!=usr) pubmsg(user[n],msg);
...
void chat_msg_all(chat_param_t *param)
...
pubmsg(NULL,par);
...
void chat_msg_prv(chat_param_t *param)
...
if (user[n]!=usr) privmsg(user[n],NULL,msg);
...
void chat_msg_prv_all(chat_param_t *param)
...
privmsg(NULL,NULL,msg);
...
>From penalties.c:
void penalprvmsg(userrec_t *to, char *op, char *fmt, ...)
...
privmsg(to,op,str);
...
>From cmd.dc.c:
void dc_OpForceMove(dc_param_t *param)
...
privmsg(usr,NULL,msg);
...
#######################################################################
==========3) The Code
==========
http://aluigi.org/poc/dconnx.zip
#######################################################################
=====4) Fix
=====
CVS 31 Jul 2006:
cvs -d:pserver:anonymous@cvs.ds.pg.gda.pl:/home/cvsroot get dc-hub
#######################################################################
---
Luigi Auriemma
http://aluigi.org
http://mirror.aluigi.org