5998276 2001-01-24 19:04 +0300 /173 rader/ Seva Gluschenko <gvs@RINET.RU>
Sänt av: joel@lysator.liu.se
Importerad: 2001-01-24 19:40 av Brevbäraren (som är implementerad i) Python
Extern mottagare: BUGTRAQ@SECURITYFOCUS.COM
Externa svar till: gvs@RINET.RU
Mottagare: Bugtraq (import) <14987>
Ärende: patch Re: [PkC] Advisory #003: micq-0.4.6 remote buffer overflow
------------------------------------------------------------
From: Seva Gluschenko <gvs@RINET.RU>
To: BUGTRAQ@SECURITYFOCUS.COM
Message-ID: <Pine.BSF.4.30.0101241847020.35798-100000@staff.rinet.ru>
Message from recidjvo at Jan 18 10:01 in parts:
Here the patch follows.
The quoting is issued just to keep problem description.
r> - Vulnerable program: micq-0.4.6 (Matt's ICQ clone). Maybe others.
r> - Tested on: Linux/ix86 (Slackware 7.1 - RedHat 6.1)
r>
r> - Advisory author: tHE rECIdjVO <recidjvo@pkcrew.org>
r> - Group: Packet Knights (http://www.pkcrew.org/)
r>
r> - Date of release: 01/18/2000
r>
r> - Problems: Remote buffer overflow
r> Local buffer overflow (not dangerous if not suid)
[skip]
r> - Summary:
r> micq-0.4.6 is one of the best ICQ emulator for linux console.
r> There is a buffer overflow in sprintf() in icq_response.c in function
r> Do_Msg() at line 879, that allows to a remote attacker able to sniff
r> packets to ICQ server to execute arbitrary code on the victim system.
r> There is a local buffer overflow, too.
r> If you send an URL message with a too large description, the program
r> receives a SIGSEGV.
[skip]
r> [ ... snip ... icq_response.c ... snip ... ]
r>
r> The buffer overflow is due to a malicious URL message sent by the
r> server. The client reads 1024 bytes from the UDP socket, trim the
r> message headers and split the remaining data in the 1024 bytes
r> url_data and url_desc, recombining in the message char buffer, adding
r> about fifty digits. Because of the url_data is 1024 bytes long, this
r> instruction can be used to overwrite the return address of the function
r> and execute arbitrary code on the client machine.
r> - Solution:
r> A simple patch can be to increase the message buffer size up to 50
r> bytes. I've not tested if there are others problem fixin' in that way.
r> I tryed to alert the micq author (Matt Smith), but homepage is out of
r> order and email is unexistant.
Three different sources said that Matt is dead after car crash %(.
r> --
r> tHE rECIdjVO
r> Member of the Packet Knights
r> http://www.pkcrew.org/
So, here is the patch. It is very simple and somehow system dependant:
you need snprintf/vsnprintf to have it working. I've grepped sprintf
through the sources and replaced any possible overflow occurence:
========= cut micq-0.4.6.snprintf.diff ===============================
--- micq-0.4.6/icq_response.c.orig Wed Jan 24 18:49:09 2001
+++ micq-0.4.6/icq_response.c Wed Jan 24 18:50:11 2001
@@ -724,7 +724,7 @@
{
char *tmp;
int x,m;
- char message[1024];
+ char message[1074];
char url_data[1024];
char url_desc[1024];
@@ -876,7 +876,7 @@
char_conv ("wc",data);
strcpy (url_data,data);
- sprintf (message,"Description: %s \n URL: %s",url_desc,url_data);
+ snprintf (message, sizeof(message), "Description: %s \n URL: %s",url_desc,url_data);
if ( UIN2nick( uin ) != NULL )
log_event( uin, LOG_MESS, "You received URL message from %s\n%s\n", UIN2nick(uin), message );
else
--- micq-0.4.6/sendmsg.c.orig Wed Jan 24 18:35:17 2001
+++ micq-0.4.6/sendmsg.c Wed Jan 24 18:38:51 2001
@@ -975,9 +975,9 @@
void icq_sendurl( SOK_T sok, DWORD uin, char *description, char *url )
{
- char buf[450];
+ char buf[500];
- sprintf( buf, "%s\xFE%s", url, description );
+ snprintf( buf, sizeof(buf), "%s\xFE%s", url, description );
icq_sendmsg( sok, uin, buf, URL_MESS );
}
--- micq-0.4.6/util_ui.c.orig Wed Jan 24 18:41:01 2001
+++ micq-0.4.6/util_ui.c Wed Jan 24 18:43:19 2001
@@ -102,7 +102,7 @@
assert( 2048 >= strlen( str ) );
va_start( args, str );
- vsprintf( buf, str, args );
+ vsnprintf( buf, sizeof(buf), str, args );
k = write( fd, buf, strlen( buf ) );
if ( k != strlen( buf ) )
{
@@ -292,7 +292,7 @@
va_start( args, str );
#ifndef CURSES_UI
- vsprintf( buf, str, args );
+ vsnprintf( buf, sizeof(buf), str, args );
str2 = buf;
while ( (void *) NULL != ( str1 = strchr( str2, '\x1b' ) ) )
{
========= cut micq-0.4.6.snprintf.diff ===============================
I've prepared also a little patch for micq messaging system to
increase it readability in parts - well, I did not succeed to contact
Matt then... Use it if you like to
========= cut micq-queued.diff ===============================
--- micq-0.4.6/msg_queue.c.orig Thu Oct 12 14:11:40 2000
+++ micq-0.4.6/msg_queue.c Thu Oct 12 14:12:30 2000
@@ -139,9 +139,9 @@
}
if ( Chars_2_Word( &queued_msg->body[CMD_OFFSET] ) == CMD_SENDM ) {
R_undraw();
- M_print( MESSAGE_SENT_1_STR );
+ M_print( MESSAGE_QUEUED_1_STR );
Print_UIN_Name( Chars_2_DW(
&queued_msg->body[PAK_DATA_OFFSET] ) );
- M_print( MESSAGE_SENT_2_STR );
+ M_print( MESSAGE_QUEUED_2_STR );
R_redraw();
}
free(queued_msg->body);
--- micq-0.4.6/english.h.orig Thu Oct 12 14:08:27 2000
+++ micq-0.4.6/english.h Thu Oct 12 14:11:26 2000
@@ -283,6 +283,8 @@
/* will hopefully solve any potential word order problems */
#define MESSAGE_SENT_1_STR "Message sent to "
#define MESSAGE_SENT_2_STR "!\n"
+#define MESSAGE_QUEUED_1_STR "Queued message for "
+#define MESSAGE_QUEUED_2_STR "... "
/********************************************************************/
/* Simple Yes no response*/
--- micq-0.4.6/russian.h.orig Thu Oct 12 14:09:01 2000
+++ micq-0.4.6/russian.h Thu Oct 12 14:10:56 2000
@@ -283,6 +283,8 @@
/* will hopefully solve any potential word order problems */
#define MESSAGE_SENT_1_STR "óÏÏÂÝÅÎÉÅ ÕÛÌÏ "
#define MESSAGE_SENT_2_STR "!\n"
+#define MESSAGE_QUEUED_1_STR "óÏÏÂÝÅÎÉÅ ÄÌÑ "
+#define MESSAGE_QUEUED_2_STR "ÐÏÓÔÁ×ÌÅÎÏ × ÏÞÅÒÅÄØ... "
/********************************************************************/
/* Simple Yes no response*/
@@ -391,6 +393,8 @@
/* will hopefully solve any potential word order problems */
#define MESSAGE_SENT_1_STR "óÏÏÂÝÅÎÉÅ ÕÛÌÏ "
#define MESSAGE_SENT_2_STR "\n"
+#define MESSAGE_QUEUED_1_STR "óÏÏÂÝÅÎÉÅ ÄÌÑ "
+#define MESSAGE_QUEUED_2_STR "ÐÏÓÔÁ×ÌÅÎÏ × ÏÞÅÒÅÄØ... "
/********************************************************************/
/* Simple Yes no response*/
========= cut micq-queued.diff ===============================
SY, Seva Gluschenko, just stranger on The Road. | http://gvs.rinet.ru/
Cronyx Plus / RiNet network administrator. | GVS-RIPE | GVS3-RIPN
(5998276) --------------------------------(Ombruten)