The aforementioned exploit does not yield a shell when run against
0.8.0, but it does crash the daemon:
~ # gdb -q
(gdb) att 17168
Attaching to process 17168
Reading symbols from /usr/bin/opendchub...(no debugging symbols found)...done.
Reading symbols from /usr/lib/libperl.so.5.10...(no debugging symbols
found)...done.
Loaded symbols for /usr/lib/libperl.so.5.10
Reading symbols from /lib/libdl.so.2...(no debugging symbols found)...done.
Loaded symbols for /lib/libdl.so.2
Reading symbols from /lib/libm.so.6...(no debugging symbols found)...done.
Loaded symbols for /lib/libm.so.6
Reading symbols from /lib/libpthread.so.0...(no debugging symbols
found)...done.
[Thread debugging using libthread_db enabled]
Loaded symbols for /lib/libpthread.so.0
Reading symbols from /lib/libc.so.6...(no debugging symbols found)...done.
Loaded symbols for /lib/libc.so.6
Reading symbols from /lib/libcrypt.so.1...(no debugging symbols found)...done.
Loaded symbols for /lib/libcrypt.so.1
Reading symbols from /lib/libcap.so.2...(no debugging symbols found)...done.
Loaded symbols for /lib/libcap.so.2
Reading symbols from /lib/libnsl.so.1...(no debugging symbols found)...done.
Loaded symbols for /lib/libnsl.so.1
Reading symbols from /lib/ld-linux.so.2...(no debugging symbols found)...done.
Loaded symbols for /lib/ld-linux.so.2
Reading symbols from /lib/libattr.so.1...(no debugging symbols found)...done.
Loaded symbols for /lib/libattr.so.1
Reading symbols from /lib/libnss_compat.so.2...(no debugging symbols
found)...done.
Loaded symbols for /lib/libnss_compat.so.2
Reading symbols from /lib/libnss_nis.so.2...(no debugging symbols
found)...done.
Loaded symbols for /lib/libnss_nis.so.2
Reading symbols from /lib/libnss_files.so.2...(no debugging symbols
found)...done.
Loaded symbols for /lib/libnss_files.so.2
(no debugging symbols found)
0xb7657b06 in poll () from /lib/libc.so.6
(gdb) c
Continuing.
Program received signal SIGPIPE, Broken pipe.
0xb76e9f5c in send () from /lib/libpthread.so.0
(gdb)
The attached patch, courtesy of Moritz Muehlenhoff, does fix the
problem.
Cheers,
--Seb
diff -Naur opendchub-0.8.1/src/commands.c opendchub-0.8.2/src/commands.c
--- opendchub-0.8.1/src/commands.c 2010-01-02 12:21:20.000000000 +0100
+++ opendchub-0.8.2/src/commands.c 2010-04-08 11:36:24.000000000 +0200
@@ -1123,7 +1123,7 @@
break;
}
- sscanf(buf+i-1, "%[^S]S:%d", &discard, &user_slots);
+ sscanf(buf+i-1, "%*[^S]S:%d", &user_slots);
if(user_slots < min_upload_slots)
{
uprintf(user, "Your upload slots are less than the allowed limit. Minimum upload slots for this hub is %d. Please increase your upload slots.|", min_upload_slots);
