PSR - #2004-001 Remote - LCDProc

To: bugtraq@xxxxxxxxxxxxxxxxx, security-officer@xxxxxxxxxxx, security@xxxxxxxxxxxxxxxx
Subject: PSR - #2004-001 Remote - LCDProc
From: Priv8 Security Research <security@xxxxxxxxxxxxxxxxx>
Date: Thu, 08 Apr 2004 17:10:13 -0300
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
User-agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.4) Gecko/20030624 Netscape/7.1

***************************************************************************
 Priv8 Security Research - #2004-001              security@xxxxxxxxxxxxxxxxx
 http://www.priv8security.com                     Adriano Lima
 February 22nd, 2004
---------------------------------------------------------------------------

Package Name: LCDproc
Vendor URL:  http://lcdproc.omnipotent.net
Date:  2004-02-22  
ID:  PSR-#2004-001
Affected Version: All Versions
Risk: HIGH

***************************************************************************

Package Description:

LCDproc is a software that displays real-time system information from your 
Linux/*BSD box on a LCD. The server supports several serial devices: Matrix 
Orbital, Crystal Fontz, Bayrad, LB216, LCDM001 (kernelconcepts.de), Wirz-SLI, 
Cwlinux(.com) and PIC-an-LCD; and some devices connected to the LPT port: 
HD44780, STV5730, T6963, SED1520 and SED1330. Various clients  that display 
things such as CPU load, system load, memory usage, uptime, and a lot more, are 
available.


Problem Description:

A remote exploitable buffer overflow that allows remote users to execute an 
arbitrary code was found on LCDd server.
The problem appears on function parse_all_client_messages() of parse.c file, a 
loop does not check if MAXARGUMENTS were
reached, causing the program to crash when lots of arguments are passed to the 
function.

Testing:

See proof of concept code on
http://www.priv8security.com/releases/priv8lcd44.pl

Solutions:

        It is recommended that all users upgrade to version 0.4.4 and install 
the follow patch coded by Rodrigo Rubira Branco.
        http://www.priv8security.com/releases/lcdproc.patch


References (See also):
        http://www.priv8security.com/releases/lcdproc/lcdproc.adv1
        http://www.priv8security.com/releases/lcdproc/lcdproc.adv2
        http://www.priv8security.com/releases/lcdproc/lcdproc.patch
        http://www.priv8security.com/releases/lcdproc/priv8lcd44.pl


ADDITIONAL INSTRUCTIONS:
        Apply this patch against the latest version of lcdproc.


About Priv8 Security Research Group:
        Priv8 Security is a group of programmers and enthusiastic friends
new and motivated the security area.


Questions:
        If you have any questions, send a mail to security@xxxxxxxxxxxxxxxxx

  Check out our mailing lists:
  <http://www.priv8security.com>


  The advisory itself is available at
  <http://www.priv8security.com/releases/lcdproc/lcdproc.adv1>


---------------------------------------------------------------------------
All advisories are signed with Priv8 GPG key. The key and instructions
on how to import it can be found at
http://www.priv8security.com
Instructions on how to check the signatures of the packages can be
found at http://www.priv8security.com

---------------------------------------------------------------------------
All our advisories and generic update instructions can be viewed at
http://www.priv8security.com

- -------------------------------------------------------------------------
Copyright (c) 2004 Priv8 Security
http://www.priv8security.com

---------------------------------------------------------------------------
subscribe: security@xxxxxxxxxxxxxxxxx
unsubscribe: security@xxxxxxxxxxxxxxxxx

Prev by Date: Re: IPv4 fragmentation --> The Rose Attack
Next by Date: Re: Microsoft IE iframe src DoS already reported to Microsoft
Previous by thread: Heap Overflow in Oracle 9iAS / 10g Application Server Web Cache
Next by thread: PSR - #2004-002 Remote - LCDProc
Index(es):
- Date
- Thread