Bug 63702 (CVE-2004-1079)

Summary: VUL-0: CVE-2004-1079: ncpfs: buffer overflow
Product: [Novell Products] SUSE Security Incidents Reporter: Thomas Biege <thomas>
Component: IncidentsAssignee: Olaf Hering <ohering>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: patch-request, security-team
Version: unspecified   
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: CVE-2004-1079: CVSS v2 Base Score: 7.2 (AV:L/AC:L/Au:N/C:C/I:C/A:C)
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---
Attachments: patchinfo-box.ncpfs
patchinfo.ncpfs
ncpfs-2.2.4-NWDSCreateContextHandleMnt.patch

Description Thomas Biege 2004-11-30 22:17:08 UTC 
Hello Olaf, 
this one was posted to Bugtraq. 
 
From: Karol WiƄsek <appelast@drumnbass.art.pl> 
User-Agent: Mozilla Thunderbird 0.9 (X11/20041103) 
To: full-disclosure@lists.netsys.com, bugtraq@securityfocus.com 
Subject: [Full-Disclosure] ncpfs buffer overflow 
Errors-To: full-disclosure-admin@lists.netsys.com 
Date: Mon, 29 Nov 2004 13:58:02 +0100 
 
-----BEGIN PGP SIGNED MESSAGE----- 
Hash: SHA1 
 
There is buffer overflow in ncplogin and ncpmap in nwclient.c. 
 
 
static void strcpy_cw(wchar_t *w, const char* s) { 
~        while ((*w++ = *(const nuint8*)s++) != 0); 
} 
 
NWDSCCODE NWDSCreateContextHandleMnt(NWDSContextHandle* ctx, const 
NWDSChar * treeName){ 
... 
wchar_t wc_treeName[MAX_DN_CHARS+1]; 
 
~  if (!treeName) 
~      return ERR_NULL_POINTER; 
 
~  strcpy_cw (wc_treeName,treeName); 
 
 
Currently i have not managed to successfully exploit this bug on x86. 
 
How to reproduce : 
 
ncplogin -T `perl -e '{print"a"x"330"}'` 
ncpmap -T `perl -e '{print"a"x"330"}'` / 
 
Tested on ncpfs-2.2.4-1 from fedora core 2 
 
-----BEGIN PGP SIGNATURE----- 
Version: GnuPG v1.2.4 (GNU/Linux) 
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org 
 
iD8DBQFBqxzaFTSet8AbQUQRAiycAJ4+5YDHawXMrXiu2wPHt6IRN2Xx0wCeM7vm 
LpGHtO/7DHkoRO18OQwve4M= 
=YwvU 
-----END PGP SIGNATURE----- 
 
_______________________________________________
Comment 1 Thomas Biege 2004-11-30 22:17:08 UTC 
<!-- SBZ_reproduce  -->
ncplogin -T `perl -e '{print"a"x"330"}'` 
ncpmap -T `perl -e '{print"a"x"330"}'` /
Comment 2 Thomas Biege 2004-12-06 20:32:26 UTC 
swamp-id 569
Comment 3 Thomas Biege 2004-12-06 20:44:16 UTC 
Created attachment 26776 [details]
patchinfo-box.ncpfs
Comment 4 Thomas Biege 2004-12-06 20:44:33 UTC 
Created attachment 26777 [details]
patchinfo.ncpfs
Comment 5 Thomas Biege 2004-12-06 20:47:44 UTC 
CAN-2004-1079
Comment 6 Harald Mueller-Ney 2004-12-06 22:11:26 UTC 
SWAMPID: 61

I think there was something wrong above
Comment 7 Thomas Biege 2004-12-14 19:52:19 UTC 
Olaf, 
is something missing you need to handle this bug?
Comment 8 Olaf Hering 2004-12-14 19:54:26 UTC 
Created attachment 27033 [details]
ncpfs-2.2.4-NWDSCreateContextHandleMnt.patch

yes, the 48 hours day.
Comment 9 Olaf Hering 2004-12-14 20:09:28 UTC 
I have copied the patchinfo and the package to 8.1, 8.2, 9.0, 9.1 and 9.2
9.3 will get a version update.
Comment 10 Olaf Hering 2004-12-16 04:07:00 UTC 
packages are being build now.
Comment 11 Marcus Meissner 2004-12-21 20:49:49 UTC 
updates have been released.
Comment 12 Thomas Biege 2009-10-13 20:01:38 UTC 
CVE-2004-1079: CVSS v2 Base Score: 7.2 (AV:L/AC:L/Au:N/C:C/I:C/A:C)