<<< Date Index >>>     <<< Thread Index >>>

Multiple vulnerabilities in DConnect Daemon 0.7.0 (CVS 30 Jul 2006)



#######################################################################

                             Luigi Auriemma

Application:  DConnect Daemon
              http://www.dc.ds.pg.gda.pl
Versions:     <= 0.7.0 and CVS <= 30 Jul 2006
Platforms:    Windows, *nix, *BSD and others
Bugs:         A] listen_thread_udp buffer-overflow
              B] dc_chat NULL pointer
              C] various format string bugs (privileges needed)
Exploitation: remote
Date:         06 Aug 2006
Author:       Luigi Auriemma
              e-mail: aluigi@xxxxxxxxxxxxx
              web:    aluigi.org


#######################################################################


1) Introduction
2) Bugs
3) The Code
4) Fix


#######################################################################

===============
1) Introduction
===============


DConnect Daemon is an open source P2P server for the Direct Connect
protocol.


#######################################################################

=======
2) Bugs
=======

------------------------------------
A] listen_thread_udp buffer-overflow
------------------------------------

The main function which handles the UDP packets is affected by a
buffer-overflow vulnerability which happens when a nickname longer than
32 (NICK_LEN) chars is received.
The UDP port is disabled by default, the min_slots parameter in
dcd.conf must be enabled for using this service.

>From main.c:

void listen_thread_udp(void *args)
    ...
    char *ip=NULL, bufor[10001], *cmd=NULL, *nick=NULL, *s_slots=NULL, 
*__strtok_temp__=NULL, nick_prev[NICK_LEN], *filename;
    ...
        if (!i)nick_prev[0]=0;          
        else strcpy(nick_prev,nick);
    ...


-----------------------
B] dc_chat NULL pointer
-----------------------

The dc_chat function used for handling the messages received from the
clients leads to a crash caused by usr->nick which points to NULL if
the client has not sent its nickname yet (so it's enough to send a
message as first command for exploiting this bug).

>From cmd.dc.c:

void dc_chat(dc_param_t *param)
{
    userrec_t *usr = param->usr;
    ...
    if (strcmp(cmd,usr->nick))
    ...


-------------------------------------------------
C] various format string bugs (privileges needed)
-------------------------------------------------

privmsg and pubmsg are two functions used to send messages to one or
more users.
Both the functions require a format argument (like printf) which is
missed in some parts of the code.
These format string vulnerabilities can be exploited only if the
attacker has superior user or administrator privileges.

>From cmd.user.c:

void chat_msg(chat_param_t *param)
    ...
    if (user[n]!=usr) pubmsg(user[n],msg);
    ...

void chat_msg_all(chat_param_t *param)
    ...
    pubmsg(NULL,par);
    ...

void chat_msg_prv(chat_param_t *param)
    ...
    if (user[n]!=usr) privmsg(user[n],NULL,msg);
    ...

void chat_msg_prv_all(chat_param_t *param)
    ...
    privmsg(NULL,NULL,msg);
    ...

>From penalties.c:

void penalprvmsg(userrec_t *to, char *op, char *fmt, ...)
    ...
    privmsg(to,op,str);
    ...

>From cmd.dc.c:

void dc_OpForceMove(dc_param_t *param)
    ...
    privmsg(usr,NULL,msg);
    ...


#######################################################################

===========
3) The Code
===========


http://aluigi.org/poc/dconnx.zip


#######################################################################

======
4) Fix
======


CVS 31 Jul 2006:

  cvs -d:pserver:anonymous@xxxxxxxxxxxxxxxx:/home/cvsroot get dc-hub


#######################################################################


--- 
Luigi Auriemma
http://aluigi.org
http://mirror.aluigi.org