Advisory that discusses exploitation of the University of Minnesota Gopherd version 3.0.5 and below that makes use of the do_command() buffer overflow vulnerability.
41cd532c2317311e30c49cbcf529fbe61127eae9f335f83232fabbf1837663ed
- 0x333 OUTSIDERS SECURITY LABS -
- www.0x333.org -
title:University of Minnesota Gopherd do_comand Buffer Overflow Vulnerability
~~~ contents ~~~
0x0 Description
0x1 Code sucks
0x2 Exploit
0x3 Info
0x0 Description
nic found University of Minnesota Gopherd do_command() Buffer Overflow Vulnerability.
that may be exploited remotely to execute arbitrary code.
it vulnerable versions: <= v3.0.5,
0x1 Code sucks
in Gopherd.c /do_command() we found :
...
CMDfromNet(cmd, sockfd);
...
if (authpw == NULL || authuser == NULL)
Die(sockfd, 411, "Missing Username or password");
} /* End else */
} else {
authuser = CMDgetAskline(cmd, 0);...................ponit
authpw = CMDgetAskline(cmd, 1);
}
...
case AUTHRES_OK:
Gticket = (char*) malloc(sizeof(char*) *
(strlen(authuser) +
strlen(authpw)+5));
strcpy(cleartext, authuser); ...............ponit
strcat(cleartext, " ");
strcat(cleartext, authpw);
....
command.h/ #define CMDgetAskline(a,b) (STAgetText((a)->asklines,b))
....
Gopherd.c/main: (sockfd from cilent)
1129: newsockfd = accept(sockfd, (struct sockaddr *) &cli_addr,
else if (childpid == 0) { /* Child process */
close(sockfd); /* close original socket */
1160: (void)do_command(newsockfd);/* process the request */..........
gopherd_exit(0);
So, there is an unchecked strcpy() , clear: char cleartext[64],so possible longautheruser
can overflow it.
0x3 Exploit
codes are too disorderly , i am studying from vade79 to exploit it.
0x4 Info
- 0x333 OutSiders Security Labs 2003 -
finder : nic
web : http://www.0x333.org
mail : nic0x333@hotmail.com