Product : mnoGoSearch Date : 02/15/2004 Author : Frank Denis <j@pureftpd.org> ------------------------[ Product description ]------------------------ From the web site : mnoGoSearch (formerly known as UdmSearch) is a full-featured web search engine software for intranet and internet servers. mnoGoSearch for UNIX is a free software covered by the GNU General Public License and mnoGoSearch for Windows is a commercial search software version. Home page : http://www.mnogosearch.ru/ ------------------------[ Vulnerability ]------------------------ Every document is stored in multiple parts according to its sections (description, body, etc) in databases. And when the content has to be sent to the client, UdmDocToTextBuf() concatenates those parts together and skips metadata. Unfortunately, that function lacks bounds checking and a buffer overflow can be triggered by indexing a large enough document. ------------------------[ Details ]------------------------ From src/doc.c of the latest release (3.2.15) : int UdmDocToTextBuf(UDM_DOCUMENT * Doc,char *textbuf,size_t len){ size_t i; char *end; textbuf[0]='\0'; udm_snprintf(textbuf, len, "<DOC"); end=textbuf+strlen(textbuf); for(i=0;i<Doc->Sections.nvars;i++){ ... sprintf(end,"\t%s=\"%s\"",S->name,S->val); end=end+strlen(end); } strcpy(end,">"); return UDM_OK; } 'len' is fixed to 10K in searchd.c . S->val length depends on the length of the original document and on the indexer settings (the sample configuration file has low limits that work around the bug, though). Exploitation should be easy, moreover textbuf points to the stack. ------------------------[ Affected versions ]------------------------ mnoGoSearch 3.2.15, 3.2.14 and 3.2.13 have been verified to be vulnerable, previous versions may also be affected. ------------------------[ Workarounds ]------------------------ The max size of every section is configurable un the document sections of the indexer.conf : Section body 1 8192 Section title 2 128 Section meta.keywords 3 128 Section meta.description 4 128 ... Make sure that the last value of each section is below 10 kilobytes. If you need to use a larger value (which can be handy for the body section to get accurate extracts without using stored), the size of the buffer is defined in src/searchd.c, in do_client(), around line 216. Change the textbuf[] size to something that matches the maximum size of your sections. ------------------------[ Vendor status ]------------------------ Vendor was notified on Jan 8 with mails to devel@mnogosearch.org. Other vulnerabilities were reported as well. No answer was ever received and no fixed version seems to be available yet. -- __ /*- Frank DENIS (Jedi/Sector One) <j at 42-Networks.Com> -*\ __ \ '/ <a href="http://www.PureFTPd.Org/"> Secure FTP Server </a> \' / \/ <a href="http://www.Jedi.Claranet.Fr/"> Misc. free software </a> \/