Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
|
|
|
|
|
|
|
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
|
|
|
|
Become a Partner and License Our Database or Notification Service
|
|
|
|
|
|
|
|
|
|
|
|
|
|
'Dr.Cat' Daemon Buffer Overflows May Let Local Users Gain Elevated Privileges
|
|
SecurityTracker Alert ID: 1010581
|
|
SecurityTracker URL: http://securitytracker.com/id?1010581
|
|
CVE Reference: GENERIC-MAP-NOMATCH
(Links to External Site)
|
Date: Jun 25 2004
|
Impact: Execution of arbitrary code via local system, Execution of arbitrary code via network, Root access via local system, Root access via network
|
Advisory: Zone-H
|
Version(s): 0.5.0-beta
|
Description: Several buffer overflow vulnerabilities were reported in the 'Dr.Cat' daemon (drcatd). A local user may be able to gain elevated privileges on the target system.
Zone-h issued a security advisory indicating that a local user may be able to exploit several buffer overflows.
It is also reported
that a remote authenticated user may be able to send a long filename for a non-existent file to trigger a buffer overflow. On some
architectures, arbitrary code execution is not possible, the advisory said.
The flaws reportedly reside in 'drcatd.c'.
The
vendor has reportedly been notified.
Khan Shirani is credited with discovering this flaw.
The original advisory is available
at:
http://www.zone-h.org/en/advisories/read/id=4890
|
Impact: A local user may be able to execute arbitrary code.
A remote authenticated user may be able to execute arbitrary code.
According
to the vendor, the affected daemon runs with root privileges, so arbitrary code execution may grant root access to the user.
|
Solution: No solution was available at the time of this entry.
|
Vendor URL: www.joltedweb.com/drcat/ (Links to External Site)
|
Cause: Boundary error
|
Underlying OS: Linux (Any), UNIX (Any)
|
|
Message History:
None.
|
Source Message Contents
|
Date: Fri, 25 Jun 2004 01:11:20 -0400
Subject: ZH2004-12SA (security advisory): Muliple local buffer overflows discovered
|
ZH2004-12SA (security advisory): Muliple local buffer overflows discovered in Drcatd
06/25/2004
Zone-h Security Advisory
Date of discovery : 24 june 2004
Date of release : 25 june 2004
Bug found by Khan Shirani
<shirani@zone-h.org>
http://www.zone-h.org
---------------------------------------
Software : Drcatd
Bugs : Buffer Overflows , Remote and local (multiple)
Risk : low
Platform : *nix
---------------------------------------
Description:
========
Dr.Cat (Dave's Remote Cat) concatenates a file on a remote Linux host that is running the
Dr.Cat daemon (drcatd) to stdout in the clients terminal. It authenticates users versus
the standard shadow password authentication facility and spawns a process with that users
permissions to attempt to access the requested file
http://www.joltedweb.com/drcat/
Vulnerability:
=========
Muliple local buffer overflows have been discovered . In addition to this , remote
exploitation
is also possible due to a lack of boundry checking of input once a user has been
authenticated.
The vulnerability exists when the remote user sends an overly long filename that doesnt exist.
This is handled by an sprintf() call which is where the overflow will occur
vulnerable code:
===========
----------------------
drcat-0.5.0-beta\src\drcatd.c
sprintf(fdne_msg, "%s - File Does Not Exist", buf);
logIt(fdne_msg);
sprintf(fd_msg, "%s - File Does Not Exist\n", buf);
len = sizeof(fd_msg);
local_send(new_fd, fd_msg, len);
exit(1);
----------------------
NOTE: Due to the exit(1) from the above snippet, exploitation of this vulnerability is not
possible within x86 arche's.
Vendor Notice:
==========
The vendor has been notified via <dave@joltedweb.com>
Copyright
=======
Contents may not be altered without notification to original author
permission is granted to reproduce this advisory on public databases.
shirani@zone-h.org
and all the zone-h staff.
http://www.zone-h.org
http://www.zone-h.org/en/advisories/read/id=4890
|
|
Go to the Top of This SecurityTracker Archive Page
|
