'[Server-cvs] engine/session player.cpp, 1.84.2.20.14.10,'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       helix-server-cvs
Subject:    [Server-cvs] engine/session player.cpp, 1.84.2.20.14.10,
From:       atin () helixcommunity ! org
Date:       2008-05-15 22:19:31
Message-ID: 200805152219.m4FMJk97027066 () dommarcmx ! xen ! 10east ! com
[Download RAW message or body]

Update of /cvsroot/server/engine/session
In directory cvs01.internal.helixcommunity.org:/tmp/cvs-serv24747

Modified Files:
      Tag: SERVER_11_1
	player.cpp 
Log Message:
Synopsis
========
sending malformed base64 encoded data in a SET_PARAMETER command containing
the DataConvertBuffer header caused the server to crash and exposed a
potential exploit due to a heap overflow.

Branches: SERVER_11_1, SERVER_12_1, SERVER_12_0, SERVER_CURRENT
Reviewed by: dcollins


Description
===========
the problem was that the return value of BinFrom64() was not being checked for
error (-1 == 0xffffffff) and it was being used to set the size of a IHXBuffer
thereby causing CA and a heap buffer overflow. this vulnerability allows an
attacker to execute arbitrary code (the content in the message) under the
context of the SYSTEM user.

thanx to TippingPoint folks for finding this vulnerability.

Files Affected
==============
SERVER_12_1, SERVER_12_0, SERVER_CURRENT:
    server/engine/session/clientsession.cpp

SERVER_11_1:
    server/engine/session/player.cpp

Testing Performed
=================
Unit Tests:
N/A

Integration Tests:
simple test to see that the server works fine with the change.

Leak Tests:
tested only on the SERVER_11_1 and SERVER_12_0 branches with zero leaks
observed due to this change.

Performance Tests:
N/A

Platforms Tested: sunos-5.10-sparc-server, linux-rhel4-i686
Build verified: sunos-5.10-sparc-server, linux-rhel4-i686


Index: player.cpp
===================================================================
RCS file: /cvsroot/server/engine/session/Attic/player.cpp,v
retrieving revision 1.84.2.20.14.10
retrieving revision 1.84.2.20.14.11
diff -u -d -r1.84.2.20.14.10 -r1.84.2.20.14.11

--- player.cpp	23 Nov 2007 11:10:52 -0000	1.84.2.20.14.10
+++ player.cpp	15 May 2008 22:19:29 -0000	1.84.2.20.14.11
@@ -5420,6 +5420,11 @@
     pNewBuf->SetSize(contentLen);
     int offset = BinFrom64(pContent, contentLen,
             (unsigned char*)pNewBuf->GetBuffer());
+    if (offset < 0)
+    {
+	pNewBuf->Release();
+	return;
+    }
     pNewBuf->SetSize(offset);
     m_pDataConvert->ControlBufferReady(pNewBuf);
     pNewBuf->Release();


_______________________________________________
Server-cvs mailing list
Server-cvs@helixcommunity.org
http://lists.helixcommunity.org/mailman/listinfo/server-cvs
[prev in list] [next in list] [prev in thread] [next in thread] 
