<<< Date Index >>>     <<< Thread Index >>>

ZRCSA-200503 - ktools Buffer Overflow Vulnerability

ZRCSA-200503 - ktools Buffer Overflow Vulnerability

Zone-H Research Center Security Advisory 200503
http://www.zone-h.fr

Date of release: 27/11/2005
Software: ktools (http://konst.org.ua/ktools)
Affected versions: <= 0.3
Risk: Medium
Discovered by: Mehdi Oudad "deepfear" and Kevin Fernandez "Siegfried" from the 
Zone-H Research Team

Background (from http://konst.org.ua/ktools)
----------
ktools is a library which I wrote for my own programming needs, though its main 
purpose is to provide various text-mode user interface controls without a need 
to write too much code.

Details
--------
There is a buffer overflow in kkstrtext.h : 

#define VGETSTRING(c, fmt) \
    { \
        va_list vgs__ap; char vgs__buf[1024]; \
        va_start(vgs__ap, fmt); \
        vsprintf(vgs__buf, fmt, vgs__ap); c = vgs__buf; \
        va_end(vgs__ap); \
    }

This library is used in the following softwares:
centericq
orpheus
motor
groan

(see http://konst.org.ua/en/konstware)

It can be exploited for example in centericq when editing a contact's details 
with a detail field longer than 1024 chars (a <description> field of a rss feed 
for example).

Details:

- centericq.cc :

 case ACT_EDITUSER:
                c->save();
                /***************** here************/
                if(face.updatedetails(c, c->getdesc().pname)) {
                    if(c->getdesc().pname == infocard)
                        c->setdispnick(c->getnick());

...
...

- icqdialogs.cc :

bool icqface::updatedetails(icqcontact *c, protocolname upname) {

...
...
  while(!finished) {;
        gendetails(db.gettree(), c);
...
...


gendetails()
..
if((capab.count(hookcapab::flexiblereg) && ri.params.empty()) || 
!capab.count(hookcapab::flexiblereg)) {
        i = tree->addnode(_(" About "));
        
        tree->addleaff(i, 0, 39, " %s ", about.c_str());



- treeview.cc :

int treeview::addleaff(int parent, int color, int ref, const char *fmt, ...) {
    string buf;
    VGETSTRING(buf, fmt);
    return addleaf(parent, color, (void *) ref, buf);
}



- kkstrtext.h :

#define VGETSTRING(c, fmt) \
    { \
        va_list vgs__ap; char vgs__buf[1024]; \
        va_start(vgs__ap, fmt); \
        vsprintf(vgs__buf, fmt, vgs__ap); c = vgs__buf; \
        va_end(vgs__ap); \
    }


Solution
---------
None. Vendor contacted on 18/11 and 25/11, no answer.

Original advisories:
English version: http://www.zone-h.org/en/advisories/read/id=8480/
French: http://www.zone-h.fr/fr/advisories/read/id=685