| Summary | Groupware message receive integer overflow |
|---|---|
| Date | 2004-08-26 |
| CVE Number | CVE-2004-0754 |
| Discovered By | Sean (infamous42md) |
| Fixed In Release | 0.82 |
Integer overflow in memory allocation results in heap overflow. By passing the
size variable as ~0, integer overflows to 0 when 1 is added in g_alloc().
A malloc(0) call results in 16 bytes of memory being allocated on IA- 32.
Then we can overflow the heap when nm_read_all() is called next step.
Usually cases like this suck for exploitation, because the len (~0) is so
large that a following call to memcpy() or strcpy() will just run into
kernel mem or unmapped address and fault. However in this case we read the
data from the network via a read() call, so we can just stop sending data and
close the connection to short out before ~0 bytes are read. However, this is
triggered by input from the server, not directly from a client. Someone
running a malicious groupware server could leverage this to run arbitrary code
on the client.
Bounds checking was added.