KSalup is an enhanced port of Winpopup for KDE. It also allows
the user to send and receive Winpopup messages over a local network (LAN).
it does address binding in a very dangerous way:
(from main.cpp)
i=gethostname(hostname, sizeof(hostname)-1);
[...]
host=gethostbyname(hostname);
[...]
myip=*(uint32_t*)(host->h_addr_list[0]);
[...]
i=setsockopt(sock[2], SOL_SOCKET, SO_REUSEADDR, &b, l);
[...]
sin.sin_family=AF_INET;
sin.sin_port=htons(138);
sin.sin_addr.s_addr=myip;
i=::bind(sock[2], (struct sockaddr*)&sin, sizeof(struct sockaddr_in));
if a socket is bound to the wildcard address (0.0.0.0) on KSalup's port, it will capture datagrams originally intended to reach KSalup's socket.
this programming error doesn't seem to be exploitable to me, since the socket we are talking about uses port 138, which is a privileged port and can only be bounded by root.
anyways, fix should be considered. it just takes to bind also the wildcard address during socket initialization.
Rafael San Miguel Carrasco
(_kiss_)
rsanmcarat_private
This archive was generated by hypermail 2b30 : Sun Jan 20 2002 - 17:54:27 PST