Buffer Overflow in TIAtunnel-0.9alpha2

[qitest1 <qitest1 () cercaband com>]

  /* qitest1's security advisory #001 
   */
  
  Buffer Overflow in TIAtunnel-0.9alpha2  
  
+Systems Affected
  Any system running TIAtunnel-0.9alpha2

+Program Description
  TIAtunnel is a simple IRC bouncer that allows access from a simple
  IPv4 box to any kind of well-known server. It has been written by
  tHE rECIdjVO <recidjvo () pkcrew org>, http://tiatunnel.pkcrew.org/.

+Vulnerability And Impact
  A remote attacker can overflow a buffer and execute arbitrary code 
  on the system with the privileges of the user running TIAtunnel. 
  Infact in auth.c at line 28 we have:
  struct tunnel *auth_conn(int *csock, int entries)
    {
        char authline[512];                     /* static char buf */
        struct tunnel *t_current;
        int i = 0;

        // Read one line from the client
        bzero(authline, 512);
        while((authline[i - 1] != '\n') && (authline[i - 1] != '\r') && 
        (i < 1024)) {                           /* 1024?! =) */
                read(*csock, (authline + i++), (size_t)1);
        }

+Solution
  Author was contacted. Upgrade your version of TIAtunnel.

+Exploit
  This bug can be succesfully exploited by a remote attacker. There is 
  a demonstrative exploit code attached to this advisory. See the code
  for more info.

-- 
/* qitest1              http://qitest1.cjb.net *
 *    ``Ut tensio, sic vis. 69 tecum sis.''    *
 * main(){if(unsatisfied == 69) try_come(in);} */

Attachment: tiatunnel.c
Description: