http://archives.neohapsis.com/archives/fulldisclosure/2004-11/1115.html quote: ------------ 2. The bug: ------------ The program doesn't correctly manage the $RedirectAll command. In fact it will have a buffer overflow, letting an attacker to execute arbitrary code on the victim system. NOTE: To exploit the bug the attacker needs to have admin privilege on the victim hub." test poc: http://www.autistici.org/fdonato/poc/OpenDcHub[0714]BOF-poc.zip (kills the opendchub process) there's no vendor fix yet, but a patch on the fd-list. JG Reproducible: Always Steps to Reproduce:
Created attachment 44651 [details, diff] 0.7.14-overflow.patch Patch by Donato Ferrante from Full-Disclosure.
net-p2p, please verify/apply patch.
Well this should probably be a C2, cause it would allow a remote user to execute arbitrary code. Admin privileges shouldn't usually be given to really untrusted users though, since that allows configuring/stopping/... the hub, nevertheless admin privileges can be given to users without shell access of course. There does not seem to be a default user for running opendchubs on gentoo btw. see also <http://securitytracker.com/alerts/2004/Nov/1012323.html>
bug confirmed/patched/committed/stable in portage
GLSA drafted; security, please review.
GLSA 200411-37
