From djb@cr.yp.to Wed Dec 15 14:22:12 2004
Date: 15 Dec 2004 08:24:39 -0000
From: D. J. Bernstein <djb@cr.yp.to>
To: securesoftware@list.cr.yp.to, napshare-developer@lists.sourceforge.net
Subject: [remote] [control] NapShare 1.2 auto_filter_extern overflows
    filename buffer

Bartlomiej Sieka, a student in my Fall 2004 UNIX Security Holes course,
has discovered a remotely exploitable security hole in NapShare, at
least version 1.2 (the current version in FreeBSD ports). I'm publishing
this notice, but all the discovery credits should be assigned to Sieka.

You are at risk if you you use NapShare with an ``extern'' filter.
Anyone who provides a gnutella response to NapShare (not necessarily the
legitimate server administrator; an attacker can modify responses
passing through the network) then has complete control over your
account: he can read and modify your files, watch the programs you're
running, etc.

The attached files 40-1.c and 40-2.c are two different proof-of-concept
servers that will convince NapShare under FreeBSD 5 to create
unauthorized files in the current directory.

Here's the bug: In auto.c, auto_filter_extern() uses strcpy() to copy
any amount of data into a 5200-byte filename[] array.

---D. J. Bernstein, Associate Professor, Department of Mathematics,
Statistics, and Computer Science, University of Illinois at Chicago

    [ Part 2, Text/PLAIN  677 lines. ]
    [ Unable to print this part. ]


    [ Part 3, Text/PLAIN  659 lines. ]
    [ Unable to print this part. ]