Bug 63702 (CVE-2004-1079) - VUL-0: CVE-2004-1079: ncpfs: buffer overflow
Summary: VUL-0: CVE-2004-1079: ncpfs: buffer overflow
Status: RESOLVED FIXED
Alias: CVE-2004-1079
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: All Linux
: P3 - Medium : Normal
Target Milestone: ---
Assignee: Olaf Hering
QA Contact: Security Team bot
URL:
Whiteboard: CVE-2004-1079: CVSS v2 Base Score: 7....
Keywords:
Depends on:
Blocks:
 
Reported: 2004-11-30 22:17 UTC by Thomas Biege
Modified: 2021-10-17 14:56 UTC (History)
2 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
patchinfo-box.ncpfs (820 bytes, text/plain)
2004-12-06 20:44 UTC, Thomas Biege 		Details
patchinfo.ncpfs (669 bytes, text/plain)
2004-12-06 20:44 UTC, Thomas Biege 		Details
ncpfs-2.2.4-NWDSCreateContextHandleMnt.patch (5.27 KB, patch)
2004-12-14 19:54 UTC, Olaf Hering 		Details | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Thomas Biege 2004-11-30 22:17:08 UTC 
Hello Olaf, 
this one was posted to Bugtraq. 
 
From: Karol WiÄsek <appelast@drumnbass.art.pl> 
User-Agent: Mozilla Thunderbird 0.9 (X11/20041103) 
To: full-disclosure@lists.netsys.com, bugtraq@securityfocus.com 
Subject: [Full-Disclosure] ncpfs buffer overflow 
Errors-To: full-disclosure-admin@lists.netsys.com 
Date: Mon, 29 Nov 2004 13:58:02 +0100 
 
-----BEGIN PGP SIGNED MESSAGE----- 
Hash: SHA1 
 
There is buffer overflow in ncplogin and ncpmap in nwclient.c. 
 
 
static void strcpy_cw(wchar_t *w, const char* s) { 
~        while ((*w++ = *(const nuint8*)s++) != 0); 
} 
 
NWDSCCODE NWDSCreateContextHandleMnt(NWDSContextHandle* ctx, const 
NWDSChar * treeName){ 
... 
wchar_t wc_treeName[MAX_DN_CHARS+1]; 
 
~  if (!treeName) 
~      return ERR_NULL_POINTER; 
 
~  strcpy_cw (wc_treeName,treeName); 
 
 
Currently i have not managed to successfully exploit this bug on x86. 
 
How to reproduce : 
 
ncplogin -T `perl -e '{print"a"x"330"}'` 
ncpmap -T `perl -e '{print"a"x"330"}'` / 
 
Tested on ncpfs-2.2.4-1 from fedora core 2 
 
-----BEGIN PGP SIGNATURE----- 
Version: GnuPG v1.2.4 (GNU/Linux) 
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org 
 
iD8DBQFBqxzaFTSet8AbQUQRAiycAJ4+5YDHawXMrXiu2wPHt6IRN2Xx0wCeM7vm 
LpGHtO/7DHkoRO18OQwve4M= 
=YwvU 
-----END PGP SIGNATURE----- 
 
_______________________________________________
Comment 1 Thomas Biege 2004-11-30 22:17:08 UTC 
<!-- SBZ_reproduce  -->
ncplogin -T `perl -e '{print"a"x"330"}'` 
ncpmap -T `perl -e '{print"a"x"330"}'` /
Comment 2 Thomas Biege 2004-12-06 20:32:26 UTC 
swamp-id 569
Comment 3 Thomas Biege 2004-12-06 20:44:16 UTC 
Created attachment 26776 [details]
patchinfo-box.ncpfs
Comment 4 Thomas Biege 2004-12-06 20:44:33 UTC 
Created attachment 26777 [details]
patchinfo.ncpfs
Comment 5 Thomas Biege 2004-12-06 20:47:44 UTC 
CAN-2004-1079
Comment 6 Harald Mueller-Ney 2004-12-06 22:11:26 UTC 
SWAMPID: 61

I think there was something wrong above
Comment 7 Thomas Biege 2004-12-14 19:52:19 UTC 
Olaf, 
is something missing you need to handle this bug?
Comment 8 Olaf Hering 2004-12-14 19:54:26 UTC 
Created attachment 27033 [details]
ncpfs-2.2.4-NWDSCreateContextHandleMnt.patch

yes, the 48 hours day.
Comment 9 Olaf Hering 2004-12-14 20:09:28 UTC 
I have copied the patchinfo and the package to 8.1, 8.2, 9.0, 9.1 and 9.2
9.3 will get a version update.
Comment 10 Olaf Hering 2004-12-16 04:07:00 UTC 
packages are being build now.
Comment 11 Marcus Meissner 2004-12-21 20:49:49 UTC 
updates have been released.
Comment 12 Thomas Biege 2009-10-13 20:01:38 UTC 
CVE-2004-1079: CVSS v2 Base Score: 7.2 (AV:L/AC:L/Au:N/C:C/I:C/A:C)