J-Security Center

Latest Attack Object Updates
  • IDP Daily Update #1545
    posted: 11/19/09
  • NSM Daily Update #1545
    posted: 11/19/09
  • Deep Inspection 5.3r5 and above, 5.4, 6.0 #1545
    posted: 11/19/09
  • Deep Inspection 5.1 and 5.2 #1435
    posted: 11/19/09
  • Deep Inspection 5.0, 5.3r4 and below #1132
    posted: 03/28/08 (04/01/08 for 5.0)
  • Antivirus
    posted: 11/19/09

Title: DayDream BBS Control Code Multiple Buffer Overflow Vulnerability

Severity: HIGH

Description:

DayDream BBS was originally written for AmigaOS, although a port is now actively maintained for Linux and BSD based systems. DayDream is conference based, and includes support for message boards, file transfers, and doors.

It is possible to include control codes in text files displayed by DayDream. They are interpreted and can be used to insert data such as the current date or user name, or to perform actions. The command ~#MC is used to introduce a menu command, and the commands ~#TF and ~#RA are used to display text files. These three commands suffer from buffer overflow vulnerabilities.

By associating extremely large parameters with these control codes, it is possible to overflow a buffer in memory. This can be used to corrupt the stack, and modify the return address of the affected function. It is possible this could be used to execute arbitrary code.

If a user is able to include these control codes in posted messages, it may be possible for a remote user of the BBS system to cause arbitrary code to be executed. Under the recommended installation, DayDream runs as a non-privileged user 'bbs'. However, successful exploitation of this vulnerability may lead to local access to the system. Given local access, it is often easier to obtain elevated privileges.

It has been reported that this vulnerability has been repaired in the recent releases of DayDream, although it has not been reported on the software homepage at the time this was written.

Affected Products:

  • DayDream DayDream BBS 2.10.0
  • DayDream DayDream BBS 2.12.0
  • DayDream DayDream BBS 2.13.0
  • DayDream DayDream BBS 2.9.0

References:

Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.