tetrix.1.13.16.bof.txt

1999-08-17T00:00:00
ID PACKETSTORM:12281
Type packetstorm
Reporter Packet Storm
Modified 1999-08-17T00:00:00

Description

                                        
                                            `Date: Wed, 17 Feb 1999 13:03:45 -0800  
From: Steven Hodges <nsn@RAW.VELOWEB.COM>  
To: BUGTRAQ@netspace.org  
Subject: Tetrix 1.13.16 is Vulnerable  
  
I have recently found a buffer overflow in a TetriNet daemon for Linux  
called "Tetrix". To exploit this bug, you will need a hostname longer than  
122 characters, and any method of connecting to the host on port 31457.  
Once you are connected, the overflow should take place.  
  
here is the patch!  
  
  
----------------------------------snip snip-------------------------------  
diff -ru tetrinetx-1.13.16.orig/src/main.c tetrinetx-1.13.16/src/main.c  
--- tetrinetx-1.13.16.orig/src/main.c Thu Dec 24 00:24:50 1998  
+++ tetrinetx-1.13.16/src/main.c Sun Feb 14 16:22:45 1999  
@@ -2561,7 +2562,7 @@  
/* Someone has just connected. So lets answer them */  
void net_telnet(struct net_t *n, char *buf)  
{  
- unsigned long ip; int k,l; char s[121]; char strg[121];  
+ unsigned long ip; int k,l; char s[UHOSTLEN]; char strg[121];  
char n1[4], n2[4], n3[4], n4[4];  
struct channel_t *chan, *ochan;  
struct net_t *net;  
diff -ru tetrinetx-1.13.16.orig/src/main.h tetrinetx-1.13.16/src/main.h  
--- tetrinetx-1.13.16.orig/src/main.h Thu Dec 24 00:24:50 1998  
+++ tetrinetx-1.13.16/src/main.h Sun Feb 14 16:19:06 1999  
@@ -48,9 +48,8 @@  
#define SERVERBUILD "16" /* What build we are at */  
#define NICKLEN 30 /* Maximum length of Nickname */  
#define VERLEN 10 /* Maximum length of Tetrinet version */  
-#define UHOSTLEN 30 /* Maximum length of Hostname */  
+#define UHOSTLEN 256 /* Maximum length of Hostname */  
#define TEAMLEN NICKLEN /* Maximum length of teamname */  
-/*#define MAXNET 80*/ /* Maximum network sockets */  
#define MAXWINLIST 100 /* Maximum entries on Winlist */  
#define TELNET_PORT 31457 /* Telnet port to listen on */  
#define QUERY_PORT 31456 /* Query port to listen on */  
diff -ru tetrinetx-1.13.16.orig/src/net.c tetrinetx-1.13.16/src/net.c  
--- tetrinetx-1.13.16.orig/src/net.c Thu Dec 24 00:24:50 1998  
+++ tetrinetx-1.13.16/src/net.c Sun Feb 14 16:22:11 1999  
@@ -250,15 +250,17 @@  
unsigned long ip;  
{  
struct hostent *hp; unsigned long addr=ip;  
- unsigned char *p; static char s[121];  
-/* alarm(10);*/  
+ unsigned char *p; static char s[UHOSTLEN];  
+  
hp=gethostbyaddr((char *)&addr,sizeof(addr),AF_INET); /*alarm(0);*/  
if (hp==NULL) {  
p=(unsigned char *)&addr;  
sprintf(s,"%u.%u.%u.%u",p[0],p[1],p[2],p[3]);  
return s;  
}  
- strcpy(s,hp->h_name); return s;  
+ strncpy(s,hp->h_name,(UHOSTLEN-1));  
+ s[strlen(s)]='\0';  
+ return s;  
}  
  
/* short routine to answer a connect received on a socket made previously  
----------------------------------snip snip-------------------------------  
  
---------------------------------------------------------------------------  
  
Date: Fri, 19 Feb 1999 11:04:42 +0100  
From: Pavel Machek <pavel@BUG.UCW.CZ>  
To: BUGTRAQ@netspace.org  
Subject: Re: Tetrix 1.13.16 is Vulnerable  
  
Hi!  
  
> I have recently found a buffer overflow in a TetriNet daemon for Linux  
> called "Tetrix". To exploit this bug, you will need a hostname longer than  
> 122 characters, and any method of connecting to the host on port 31457.  
> Once you are connected, the overflow should take place.  
>  
> here is the patch!  
  
...which does not work.  
  
> diff -ru tetrinetx-1.13.16.orig/src/net.c tetrinetx-1.13.16/src/net.c  
> --- tetrinetx-1.13.16.orig/src/net.c Thu Dec 24 00:24:50 1998  
> +++ tetrinetx-1.13.16/src/net.c Sun Feb 14 16:22:11 1999  
> @@ -250,15 +250,17 @@  
> unsigned long ip;  
> {  
> struct hostent *hp; unsigned long addr=ip;  
> - unsigned char *p; static char s[121];  
> -/* alarm(10);*/  
> + unsigned char *p; static char s[UHOSTLEN];  
> +  
> hp=gethostbyaddr((char *)&addr,sizeof(addr),AF_INET); /*alarm(0);*/  
> if (hp==NULL) {  
> p=(unsigned char *)&addr;  
> sprintf(s,"%u.%u.%u.%u",p[0],p[1],p[2],p[3]);  
> return s;  
> }  
> - strcpy(s,hp->h_name); return s;  
> + strncpy(s,hp->h_name,(UHOSTLEN-1));  
> + s[strlen(s)]='\0';  
> + return s;  
  
If s is not null-terminated after strncpy...  
  
The strncpy() function is similar, except that not more  
than n bytes of src are copied. Thus, if there is no null  
byte among the first n bytes of src, the result wil not be  
null-terminated.  
  
...then s[strlen(s)]='\0'; will not help it - because strlen() looks  
for \0 :-).  
  
s[UHOSTLEN-1]='\0'; would be correct.  
  
Pavel  
  
--  
I'm really pavel@atrey.karlin.mff.cuni.cz. Pavel  
Look at http://atrey.karlin.mff.cuni.cz/~pavel/ ;-).  
  
`