[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
buffer overflow vulnerability
|
From: |
Bernhard Kuemel |
|
Subject: |
buffer overflow vulnerability |
|
Date: |
Tue, 22 Jan 2002 05:00:49 +0100 |
Hi bug-gnu-chess!
gnuchess contains a buffer overflow vulnerability that may lead to
arbitrary command execution if an attacker is permitted to send
commands to gnuchess remotely via the internet.
----------------------------------------------------
address@hidden:/usr/src/gnuchess$ gdb ./gnuchess
(gdb) run
Starting program: /usr/src/gnuchess/./gnuchess
GNU Chess v5.02
Transposition table: Entries=1024K Size=32768K
Pawn hash table: Entries=384K Size=18432K
White (1) : AAAAAAAAAAAAAAA1234567890
Program received signal SIGSEGV, Segmentation fault.
0x35343332 in ?? ()
-----------------------------------------------------
In file cmd.c:
65 void InputCmd ()
66
/*************************************************************************
67 *
68 * This is the main user command interface driver.
69 *
70
***********************************************************************
477 /* everything else must be a move */
or e.g. malicious input
478 else
479 {
480 ptr = ValidateMove (cmd);
In file move.c:
500 leaf * ValidateMove (char *s)
501
/*************************************************************************
502 *
503 * This routine takes a string and check to see if it is a
legal move.
504 * Note. At the moment, we accept 2 types of moves notation.
505 * 1. e2e4 format. 2. SAN format. (e4)
506 *
507
***********************************************************************
508 {
509 short f, t, side, rank, file, fileto;
510 short piece, kount;
This is the reason for the overflow:
511 char mvstr[10], *p;
^^
512 BitBoard b;
513 leaf *n1, *n2;
514
524 p = mvstr;
525 do
526 {
527 if (*s != 'x' && *s != '+' && *s != '=')
The overflow happens here:
528 *p++ = *s;
^^^^^^^^^^
529 } while (*s++ != '\0');
You may eliminate the vulnerability by defining
511 char mvstr[64], *p;
since you limit the input to 64 bytes in cmd.c:
120 if (fgets (inputstr, 64, stdin) && inputstr[0])
121 inputstr[strlen(inputstr)-1] = '\000';
Please tell me when you will release a fixed version so I can announce
the vulnerability in the bugtraq mailinglist. Please respond within
reasonable time or I will publish the vulnerablity before you release
a fixed version.
Bernhard
| [Prev in Thread] |
Current Thread |
[Next in Thread] |
- buffer overflow vulnerability,
Bernhard Kuemel <=