|
|
|
|
| |
| A few programs that were built for BeOS (and are bundled with it) suffer from buffer overflow problems. These buffer overflows can be used to execute arbitrary code. |
| |
Credit:
The information has been provided by vort-fu.
|
| |
Vulnerable systems:
BeOS r4.5, r4.5-2, r5 pro
Felix-2-3-R4 (IRC Client)
Baxter (IRC Client)
Bowser (IRC Client)
PostMaster-1.0 (Email Client)
RobinHood-1.1 (HTTPD)
Felix-2-3-R4
Introduction:
Felix is BeOS's first available IRC client, and to date, one of the most popular. Felix, like many 'Internet Aware' BeOS applications, parses data containing web specific terms such as 'http' and 'www' and creates a link that opens the string in BeOS's shipped web browser, NetPositive.
Vulnerability:
The parsing of URL from channel / private message text does not include proper or complete bounds checking on the length of the URL. Thus if the URL exceeds the bound set by Felix, the variable is overflowed and Felix crashes.
The URL does not need to be clicked, highlighted or accessed by any special means; the problem lies in the creation of the link to NetPositive.
Example:
http://AAAAAAAAAA .........
|_________________________| -- 500+ characters
Registers:
Segment violation occurred 41414141 read_fault
eax 00000001 ebp 41414141 cs 001b
edx 001a6fe0 esi 80176200 ss 0023
ecx 00000001 edi 80176200 ds 0023
ebx 800c01c8 esp fc4c176c es 0023
fs 0000
eflags 00010282 eip 41414141
trap_no 0000000e error_code 00000004
Both Baxter and Bowser IRC Clients suffer from the same type of overflow. The lengths at which they overflow may be different, but given a high enough length they can both produce unwanted events.
Baxter tends to simply crash when the URL string is too long, the same as Felix. Though with Bowser (which might crash at a higher length), it simply 'resets' the user's channel screen, removing anything that was previously typed in the channel or by the user.
PostMaster 1.0:
(Tested on the 1.0 demo version)
PostMaster also creates links to web specific terms in any received emails and will crash once a message with an http string longer than 512 bytes is read. Depending on how and when the message is read, PostMaster will crash every time it is loaded until the offending email is manually removed from /boot/home/mail/in/
RobinHood 1.1-httpd
Introduction:
RobinHood is one of the best free third party http servers for BeOS, based on libHTTP, which was created by the same author. Written entirely for BeOS with no ported code, even the upgrade from 1.0 to 1.1 fails to add proper bounds checking on received requests.
The problem may be included in libHTTP and thus in any applications that use it.
Vulnerability:
RobinHood fails to check received requests in both RHConsole (GUI management tool) and RHDaemon (the actual server). Due to this, it is possible to crash both the console and the daemon by sending a request longer than ~4080 bytes.
This error is located in the following files
RobinHoodx86/source/RHConsole/source/RHCWindow.cpp int RHCWindow::ConsolePrintf(const char *format, ...)
and
RobinHoodx86/source/RHDaemon/source/RHLogger.cpp log_printf(const char *format, ...)
Example:
$ telnet www.server.com 80
Trying server.com...
Connected to server.com.
Escape character is '^]'.
AAAAAAAAAAAAAAA... - 4078+ bytes
Registers:
segment violation occurred 41414141 read_fault
http thread:regs
eax 00001010 ebp 41414141 cs 001b
edx 00000007 esi fc2c0d9c ss 0023
ecx 00000000 edi 80017f20 ds 0023
ebx 8000c7fc esp fc2bd3f4 es 0023
fs 0000
eflags 00010246 eip 41414141
trap_no 0000000e error_code 00000004
http thread:
|
|
|
|
|
|
|
|
|
|
