buffer overflow in dbadmin

securitySHELL.NACS.NET

• Messages sorted by: [ date ][ thread ][ subject ][ author ]
• Next message: Oliver Friedrichs: "Re: linux 2.0.35 ip aliasing with aliased hwaddr"
• Previous message: Simple Nomad: "Patch for GroupWise buffer overflow"
• Next in thread: duke: "Re: buffer overflow in dbadmin"

I apologize if this has already been posted, I searched and did not find
it.  I found a buffer overflow (no exploit code here kiddies) in
dbadmin v1.0.1 for linux.  Dbadmin is a database administration tool
that is run as a CGI to maintain mSQL servers.

I am not sure whether it is exploitable or not.  Here is the data:

The README file indicates that the file needs to be setuid to the
owner of mSQL server.  It also suggests using a .htaccess file, so only
priveledged users will be able to use this to any advantage.

Looking at dbadmin.c, we see some interesting tidbits:

dbadmin.c:    strcpy(op_temp,curField->name);
dbadmin.c:      strcat(rec_new,curField->name);

At a glance, that doesn't look very good.  Neither does this:

[rootni dbadmin_v1.0.1]# grep strcat *.c | wc -l
     63
[rootni dbadmin_v1.0.1]# grep strcpy *.c | wc -l
     13

This is code from 1996 so if there has probably been a newer release, but
I can't seem to find it, or the author.

Have a great day.

Richard Zack.
------------------------------------------------------------
New Age Consulting Service, Inc.        216-619-2000

rootnacs.net                           richardnacs.net
hostmasternacs.net                     securitynacs.net

http://www.nacs.net/~richard
------------------------------------------------------------

• Next message: Oliver Friedrichs: "Re: linux 2.0.35 ip aliasing with aliased hwaddr"
• Previous message: Simple Nomad: "Patch for GroupWise buffer overflow"
• Next in thread: duke: "Re: buffer overflow in dbadmin"