#204 remote dos

open
nobody
Networking (54)
5
2007-02-01
2007-02-01
Anonymous
No

hi,
i wish to inform you that the latest version of cotv is prone to a remotely
exploitable denial of service vulnerability because it fails to validate the
content of ServerInit packets.
A ServerInit packet contains the server's computer name and its size in the
following format:
[...]<computer-name-size><computer-name>
where:
computer-name-size is 4bytes interpreted as unsigned int rapresentig the size
in bytes of the computer name
and
computer-name is a variable size array of bytes rapresentig the computer name

when cotv recives a ServerInit packet, it first allocates a buffer by
passing computer-name-size to malloc() and then it copies computer-name to the
newly allocated memory. The problem is that cotv doesn't validate the pointer
returned by malloc() so it's possible that a NULL-pointer will be used as the
first parameter of memcpy() causing the program to crash.
(that's what gdb suggested me so i may be wrong as i dont have the cotv sources)

hope it helps,
cheers
-poplix

Discussion

  • Jared McIntyre
    Jared McIntyre
    2007-03-16

    Logged In: YES
    user_id=751989
    Originator: NO

    Do you have an easy way to create this scenario? That would make fixing it a lot easier.

     
  • Jared McIntyre
    Jared McIntyre
    2007-03-16

    Logged In: YES
    user_id=751989
    Originator: NO

    Do you have an easy way to create this scenario? That would make fixing it a lot easier.

     
  • Jared McIntyre
    Jared McIntyre
    2007-03-25

    Logged In: YES
    user_id=751989
    Originator: NO

    Do you have a reproduction case? I'm curious under what scenario you were seeing this.