|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: qitest1 (qitest1
cercaband.com)Date: Wed Jun 06 2001 - 08:45:55 CDT
/* qitest1's security advisory #001
*/
Buffer Overflow in TIAtunnel-0.9alpha2
+Systems Affected
Any system running TIAtunnel-0.9alpha2
+Program Description
TIAtunnel is a simple IRC bouncer that allows access from a simple
IPv4 box to any kind of well-known server. It has been written by
tHE rECIdjVO <recidjvopkcrew.org>, http://tiatunnel.pkcrew.org/.
+Vulnerability And Impact
A remote attacker can overflow a buffer and execute arbitrary code
on the system with the privileges of the user running TIAtunnel.
Infact in auth.c at line 28 we have:
struct tunnel *auth_conn(int *csock, int entries)
{
char authline[512]; /* static char buf */
struct tunnel *t_current;
int i = 0;
// Read one line from the client
bzero(authline, 512);
while((authline[i - 1] != '\n') && (authline[i - 1] != '\r') &&
(i < 1024)) { /* 1024?! =) */
read(*csock, (authline + i++), (size_t)1);
}
+Solution
Author was contacted. Upgrade your version of TIAtunnel.
+Exploit
This bug can be succesfully exploited by a remote attacker. There is
a demonstrative exploit code attached to this advisory. See the code
for more info.
-- /* qitest1 http://qitest1.cjb.net * * ``Ut tensio, sic vis. 69 tecum sis.'' * * main(){if(unsatisfied == 69) try_come(in);} */
- TEXT/PLAIN attachment: tiatunnel.c
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]