OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Seva Gluschenko (gvsRINET.RU)
Date: Wed Jan 24 2001 - 10:04:12 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    Message from recidjvo at Jan 18 10:01 in parts:

    Here the patch follows.
    The quoting is issued just to keep problem description.

    r> - Vulnerable program: micq-0.4.6 (Matt's ICQ clone). Maybe others.
    r> - Tested on: Linux/ix86 (Slackware 7.1 - RedHat 6.1)
    r>
    r> - Advisory author: tHE rECIdjVO <recidjvopkcrew.org>
    r> - Group: Packet Knights (http://www.pkcrew.org/)
    r>
    r> - Date of release: 01/18/2000
    r>
    r> - Problems: Remote buffer overflow
    r> Local buffer overflow (not dangerous if not suid)

    [skip]

    r> - Summary:
    r> micq-0.4.6 is one of the best ICQ emulator for linux console.
    r> There is a buffer overflow in sprintf() in icq_response.c in function
    r> Do_Msg() at line 879, that allows to a remote attacker able to sniff
    r> packets to ICQ server to execute arbitrary code on the victim system.
    r> There is a local buffer overflow, too.
    r> If you send an URL message with a too large description, the program
    r> receives a SIGSEGV.

    [skip]

    r> [ ... snip ... icq_response.c ... snip ... ]
    r>
    r> The buffer overflow is due to a malicious URL message sent by the
    r> server. The client reads 1024 bytes from the UDP socket, trim the
    r> message headers and split the remaining data in the 1024 bytes
    r> url_data and url_desc, recombining in the message char buffer, adding
    r> about fifty digits. Because of the url_data is 1024 bytes long, this
    r> instruction can be used to overwrite the return address of the function
    r> and execute arbitrary code on the client machine.

    r> - Solution:
    r> A simple patch can be to increase the message buffer size up to 50
    r> bytes. I've not tested if there are others problem fixin' in that way.
    r> I tryed to alert the micq author (Matt Smith), but homepage is out of
    r> order and email is unexistant.

    Three different sources said that Matt is dead after car crash %(.

    r> --
    r> tHE rECIdjVO
    r> Member of the Packet Knights
    r> http://www.pkcrew.org/

    So, here is the patch. It is very simple and somehow system dependant:
    you need snprintf/vsnprintf to have it working. I've grepped sprintf
    through the sources and replaced any possible overflow occurence:

    ========= cut micq-0.4.6.snprintf.diff ===============================
    --- micq-0.4.6/icq_response.c.orig Wed Jan 24 18:49:09 2001
    +++ micq-0.4.6/icq_response.c Wed Jan 24 18:50:11 2001
    -724,7 +724,7
     {
        char *tmp;
             int x,m;
    - char message[1024];
    + char message[1074];
        char url_data[1024];
        char url_desc[1024];

    -876,7 +876,7
           char_conv ("wc",data);
           strcpy (url_data,data);

    - sprintf (message,"Description: %s \n URL: %s",url_desc,url_data);
    + snprintf (message, sizeof(message), "Description: %s \n URL: %s",url_desc,url_data);
           if ( UIN2nick( uin ) != NULL )
              log_event( uin, LOG_MESS, "You received URL message from %s\n%s\n", UIN2nick(uin), message );
           else
    --- micq-0.4.6/sendmsg.c.orig Wed Jan 24 18:35:17 2001
    +++ micq-0.4.6/sendmsg.c Wed Jan 24 18:38:51 2001
    -975,9 +975,9

     void icq_sendurl( SOK_T sok, DWORD uin, char *description, char *url )
     {
    - char buf[450];
    + char buf[500];

    - sprintf( buf, "%s\xFE%s", url, description );
    + snprintf( buf, sizeof(buf), "%s\xFE%s", url, description );
        icq_sendmsg( sok, uin, buf, URL_MESS );
     }

    --- micq-0.4.6/util_ui.c.orig Wed Jan 24 18:41:01 2001
    +++ micq-0.4.6/util_ui.c Wed Jan 24 18:43:19 2001
    -102,7 +102,7
        assert( 2048 >= strlen( str ) );

        va_start( args, str );
    - vsprintf( buf, str, args );
    + vsnprintf( buf, sizeof(buf), str, args );
        k = write( fd, buf, strlen( buf ) );
        if ( k != strlen( buf ) )
        {
    -292,7 +292,7

        va_start( args, str );
     #ifndef CURSES_UI
    - vsprintf( buf, str, args );
    + vsnprintf( buf, sizeof(buf), str, args );
        str2 = buf;
        while ( (void *) NULL != ( str1 = strchr( str2, '\x1b' ) ) )
        {
    ========= cut micq-0.4.6.snprintf.diff ===============================

    I've prepared also a little patch for micq messaging system to
    increase it readability in parts - well, I did not succeed to contact
    Matt then... Use it if you like to

    ========= cut micq-queued.diff ===============================
    --- micq-0.4.6/msg_queue.c.orig Thu Oct 12 14:11:40 2000
    +++ micq-0.4.6/msg_queue.c Thu Oct 12 14:12:30 2000
    -139,9 +139,9
                }
                if ( Chars_2_Word( &queued_msg->body[CMD_OFFSET] ) == CMD_SENDM ) {
                     R_undraw();
    - M_print( MESSAGE_SENT_1_STR );
    + M_print( MESSAGE_QUEUED_1_STR );
                     Print_UIN_Name( Chars_2_DW( &queued_msg->body[PAK_DATA_OFFSET] ) );
    - M_print( MESSAGE_SENT_2_STR );
    + M_print( MESSAGE_QUEUED_2_STR );
                     R_redraw();
                }
                free(queued_msg->body);
    --- micq-0.4.6/english.h.orig Thu Oct 12 14:08:27 2000
    +++ micq-0.4.6/english.h Thu Oct 12 14:11:26 2000
    -283,6 +283,8
     /* will hopefully solve any potential word order problems */
     #define MESSAGE_SENT_1_STR "Message sent to "
     #define MESSAGE_SENT_2_STR "!\n"
    +#define MESSAGE_QUEUED_1_STR "Queued message for "
    +#define MESSAGE_QUEUED_2_STR "... "

     /********************************************************************/
     /* Simple Yes no response*/
    --- micq-0.4.6/russian.h.orig Thu Oct 12 14:09:01 2000
    +++ micq-0.4.6/russian.h Thu Oct 12 14:10:56 2000
    -283,6 +283,8
     /* will hopefully solve any potential word order problems */
     #define MESSAGE_SENT_1_STR "Сообщение ушло "
     #define MESSAGE_SENT_2_STR "!\n"
    +#define MESSAGE_QUEUED_1_STR "Сообщение для "
    +#define MESSAGE_QUEUED_2_STR "поставлено в очередь... "

     /********************************************************************/
     /* Simple Yes no response*/
    -391,6 +393,8
     /* will hopefully solve any potential word order problems */
     #define MESSAGE_SENT_1_STR "Сообщение ушло "
     #define MESSAGE_SENT_2_STR "\n"
    +#define MESSAGE_QUEUED_1_STR "Сообщение для "
    +#define MESSAGE_QUEUED_2_STR "поставлено в очередь... "

     /********************************************************************/
     /* Simple Yes no response*/
    ========= cut micq-queued.diff ===============================

    SY, Seva Gluschenko, just stranger on The Road. | http://gvs.rinet.ru/
    Cronyx Plus / RiNet network administrator. | GVS-RIPE | GVS3-RIPN