Advisories : BeOS Vulnerabilities

main menu

- feedback
- advertising
- privacy
- FightAIDS
- newsletter
- news

discussions

- read forum
- new topic
- search

meetings

- meetings list
- recent additions
- add your info

top 100 sites

- visit top sites
- sign up now
- members

webmasters

- add your url
- add domain
- search box
- link to us

projects

- our projects
- free email

m4d network

- security software
- secureroot
- m4d.com

Home : Advisories : BeOS Vulnerabilities

Title:	BeOS Vulnerabilities
Released by:	vort-fu
Date:	13th November 2000
Printable version:	Click here

This advisory was actually written by me back in febuary this year, only

to be misplaced and forgotten about until now. Some of the applications

listed, most noteably baxter and the other irc clients, were patched

earlier this year as a result of me informing the relevant developers.



These applications were tested on the following beos releases:

r4.5, r4.5-2, r5 pro.



vort-fu

vort@wiretapped.net



------------------- start advisory --------------------



I know that there is a very minimal base of users actually using

BeOS (if any) but this is being release none the less. If anyone

has detailed information on the beos stack, please contact me privately.



BeOS Applications:

  Felix-2-3-R4   (Irc Client)

  Baxter         (Irc Client)

  Bowser         (Irc Client)

  PostMaster-1.0 (Email Client)

  RobinHood-1.1  (Httpd)





Felix-2-3-R4



Introduction



Felix is BeOS's first available irc client, and to date, one of the

most popular. Felix, like many 'Internet Aware' BeOS applications,

parses data containing web specific terms such as 'http' and 'www'

and creates a link which opens the string in BeOS's shipped

webbrowser, NetPositive.





Vulnerability



The parsing of url from channel / private message text does not

include proper or complete bounds checking on the length of the url.

Thus if the url exceeds the bound set by Felix, the variable is

overflowed and Felix crashes.



The url does not need to be clicked, highlighted or accessed by any

special means, the problem lies in the creation of the link to

NetPositive.





Example

 http://AAAAAAAAAA .........

 |_________________________|  -- 500+ characters





Registers



segment violation occurred

41414141 read_fault



eax 00000001   ebp 41414141   cs 001b

edx 001a6fe0   esi 80176200   ss 0023

ecx 00000001   edi 80176200   ds 0023

ebx 800c01c8   esp fc4c176c   es 0023

                              fs 0000

eflags 00010282  eip 41414141

trap_no 0000000e error_code 00000004





Both Baxter and Bowser IRC Clients suffer from the same type of

overflow. The lengths at which they overflow may be different, but

given a high enough length they can both produce unwanted events.



Baxter tends to simply crash when the url string is too long, the

same as Felix. Though with Bowser (which might crash at a higher

length) it simply 'resets' the user's channel screen, removing

anything that was previously typed in the channel or by the user.







PostMaster 1.0

(only tested on the demo version of 1.0)



PostMaster also creates links to web specific terms in any recieved

emails and will crash once a message with a http string longer that

512 bytes is read. Depending on how and when the message is read,

PostMaster will crash everytime it is loaded until the offending

email is manually removed from /boot/home/mail/in/







RobinHood 1.1-httpd





Introduction



RobinHood is one of the best free third party http servers for BeOS,

based on libHTTP, which was created by the same author. Written

entirely for BeOS with no ported code, even the upgrade from 1.0 to

1.1 fails to add proper bounds checking on recieved requests.



The problem may be included in libHTTP and thus in any applications

that use it. I have not had the chance to view it nor know of any

actual applications that do use it apart from RobinHood.





Vulnerability



RobinHood fails to check received requests in both RHConsole (gui

management tool) and RHDaemon (the actual server). Due to this, it

is possible to crash both the console and the daemon by sending a

request longer than ~4080 bytes.



This error is located in the following files



RobinHoodx86/source/RHConsole/source/RHCWindow.cpp

int RHCWindow::ConsolePrintf(const char *format, ...)



and



RobinHoodx86/source/RHDaemon/source/RHLogger.cpp

log_printf(const char *format, ...)





Example

$ telnet www.server.com 80

Trying server.com...

Connected to server.com.

Escape character is '^]'.

AAAAAAAAAAAAAAA... - 4078+ bytes





Registers



segment violation occurred

41414141 read_fault

http thread:regs

 eax 00001010   ebp 41414141   cs 001b

 edx 00000007   esi fc2c0d9c   ss 0023

 ecx 00000000   edi 80017f20   ds 0023

 ebx 8000c7fc   esp fc2bd3f4   es 0023

                               fs 0000

 eflags 00010246  eip 41414141

 trap_no 0000000e error_code 00000004

http thread:



------------------------- end advisory --------------------------