ZRCSA-200503 - ktools Buffer Overflow Vulnerability Zone-H Research Center Security Advisory 200503 http://www.zone-h.fr
Date of release: 27/11/2005 Software: ktools (http://konst.org.ua/ktools) Affected versions: <= 0.3 Risk: Medium Discovered by: Mehdi Oudad "deepfear" and Kevin Fernandez "Siegfried" from the Zone-H Research Team Background (from http://konst.org.ua/ktools) ---------- ktools is a library which I wrote for my own programming needs, though its main purpose is to provide various text-mode user interface controls without a need to write too much code. Details -------- There is a buffer overflow in kkstrtext.h : #define VGETSTRING(c, fmt) \ { \ va_list vgs__ap; char vgs__buf[1024]; \ va_start(vgs__ap, fmt); \ vsprintf(vgs__buf, fmt, vgs__ap); c = vgs__buf; \ va_end(vgs__ap); \ } This library is used in the following softwares: centericq orpheus motor groan (see http://konst.org.ua/en/konstware) It can be exploited for example in centericq when editing a contact's details with a detail field longer than 1024 chars (a <description> field of a rss feed for example). Details: - centericq.cc : case ACT_EDITUSER: c->save(); /***************** here************/ if(face.updatedetails(c, c->getdesc().pname)) { if(c->getdesc().pname == infocard) c->setdispnick(c->getnick()); ... ... - icqdialogs.cc : bool icqface::updatedetails(icqcontact *c, protocolname upname) { ... ... while(!finished) {; gendetails(db.gettree(), c); ... ... gendetails() .. if((capab.count(hookcapab::flexiblereg) && ri.params.empty()) || !capab.count(hookcapab::flexiblereg)) { i = tree->addnode(_(" About ")); tree->addleaff(i, 0, 39, " %s ", about.c_str()); - treeview.cc : int treeview::addleaff(int parent, int color, int ref, const char *fmt, ...) { string buf; VGETSTRING(buf, fmt); return addleaf(parent, color, (void *) ref, buf); } - kkstrtext.h : #define VGETSTRING(c, fmt) \ { \ va_list vgs__ap; char vgs__buf[1024]; \ va_start(vgs__ap, fmt); \ vsprintf(vgs__buf, fmt, vgs__ap); c = vgs__buf; \ va_end(vgs__ap); \ } Solution --------- None. Vendor contacted on 18/11 and 25/11, no answer. Original advisories: English version: http://www.zone-h.org/en/advisories/read/id=8480/ French: http://www.zone-h.fr/fr/advisories/read/id=685 _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/