|
|
|
|
| |
Dave's Remote Cat concatenates a file on a remote Linux host that is running the Dr.Cat daemon (drcatd) to stdout in the clients terminal. It authenticates users versus the standard shadow password authentication facility and spawns a process with that users permission to attempt to access the requested file.
Multiple local buffer overflows and a remotely triggered buffer overflow have been found in the remote cat daemon. The remote overflow is triggered once an overly long filename string of a file that does not exist is passed to the server. |
| |
Credit:
The information has been provided by Khan Shirani.
|
| |
Vulnerable Systems:
* Drcatd version 0.5.0-beta
When a filename is passed to the server remotely, after a user has authenticated it is possible to pass an overly long filename string. If the file specified does not exist, the server logs the error. However, this is handled by a sprintf() function call without any bounds checking, leading to a remotely exploitable buffer overflow. An excerpt from the vulnerable code is presented below:
drcat-0.5.0-beta\src\drcatd.c
sprintf(fdne_msg, "%s - File Does Not Exist", buf);
logIt(fdne_msg);
sprintf(fd_msg, "%s - File Does Not Exist\n", buf);
len = sizeof(fd_msg);
local_send(new_fd, fd_msg, len);
exit(1);
Note: Due to the exit system call it is not possible to exploit the overflow on the 80x86 architecture.
|
|
|
|
|
