Lucene search

K
securityvulnsSecurityvulnsSECURITYVULNS:DOC:10426
HistoryNov 28, 2005 - 12:00 a.m.

[Full-disclosure] ZRCSA-200503 - ktools Buffer Overflow Vulnerability

2005-11-2800:00:00
vulners.com
63

ZRCSA-200503 - ktools Buffer Overflow Vulnerability

Zone-H Research Center Security Advisory 200503
http://www.zone-h.fr

Date of release: 27/11/2005
Software: ktools (http://konst.org.ua/ktools)
Affected versions: <= 0.3
Risk: Medium
Discovered by: Mehdi Oudad "deepfear" and Kevin Fernandez "Siegfried"
from the Zone-H Research Team

Background (from http://konst.org.ua/ktools&#41;

ktools is a library which I wrote for my own programming needs, though
its main purpose is to provide various text-mode user interface
controls without a need to write too much code.

Details

There is a buffer overflow in kkstrtext.h :

#define VGETSTRING(c, fmt) \
{ \
va_list vgs__ap; char vgs__buf[1024]; \
va_start(vgs__ap, fmt); \
vsprintf(vgs__buf, fmt, vgs__ap); c = vgs__buf; \
va_end(vgs__ap); \
}

This library is used in the following softwares:
centericq
orpheus
motor
groan

(see http://konst.org.ua/en/konstware&#41;

It can be exploited for example in centericq when editing a contact's
details with a detail field longer than 1024 chars (a <description>
field of a rss feed for example).

Details:

case ACT_EDITUSER:
c->save();
/***************** here************/
if(face.updatedetails(c, c->getdesc().pname)) {
if(c->getdesc().pname == infocard)
c->setdispnick(c->getnick());


bool icqface::updatedetails(icqcontact *c, protocolname upname) {



while(!finished) {;
gendetails(db.gettree(), c);

gendetails()

if((capab.count(hookcapab::flexiblereg) && ri.params.empty()) ||
!capab.count(hookcapab::flexiblereg)) {
i = tree->addnode(_(" About "));

    tree-&gt;addleaff&#40;i, 0, 39, &quot; &#37;s &quot;, about.c_str&#40;&#41;&#41;;

int treeview::addleaff(int parent, int color, int ref, const char *fmt, …) {
string buf;
VGETSTRING(buf, fmt);
return addleaf(parent, color, (void *) ref, buf);
}

  • kkstrtext.h :

#define VGETSTRING(c, fmt) \
{ \
va_list vgs__ap; char vgs__buf[1024]; \
va_start(vgs__ap, fmt); \
vsprintf(vgs__buf, fmt, vgs__ap); c = vgs__buf; \
va_end(vgs__ap); \
}

Solution

None. Vendor contacted on 18/11 and 25/11, no answer.

Original advisories:
English version: http://www.zone-h.org/en/advisories/read/id=8480/
French: http://www.zone-h.fr/fr/advisories/read/id=685


Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/