Debian Bug report logs - #431010
cryptcat: segfault in listen mode

version graph

Package: cryptcat; Maintainer for cryptcat is Lars Bahner <bahner@debian.org>; Source for cryptcat is src:cryptcat.

Reported by: Tim <tim-debian@sentinelchicken.org>

Date: Thu, 28 Jun 2007 20:09:01 UTC

Severity: grave

Tags: lenny, patch, sid

Found in version cryptcat/20031202-2

Fixed in version cryptcat/20031202-2.1

Done: Paul Wise <pabs@debian.org>

Bug is archived. No further changes may be made.

Forwarded to http://sourceforge.net/tracker/index.php?func=detail&aid=1837984&group_id=11983&atid=111983

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Lars Bahner <bahner@debian.org>:
Bug#431010; Package cryptcat. Full text and rfc822 format available.

Acknowledgement sent to Tim <tim-debian@sentinelchicken.org>:
New Bug report received and forwarded. Copy sent to Lars Bahner <bahner@debian.org>. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Tim <tim-debian@sentinelchicken.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: cryptcat: segfault in listen mode
Date: Thu, 28 Jun 2007 16:05:30 -0400
Package: cryptcat
Version: 20031202-2+b1
Severity: grave
Justification: renders package unusable


In order to test sending files with cryptcat, I have run one instance like so:

  cryptcat -l -p 11223 > myfile.sent

And then I start another instance on the same machine to send the file to the 
first instance:

  cat myfile | cryptcat 127.0.0.1 11223

Instantly the first instance of cryptcat crashes.  I have run this under a 
debugger and it appears there is serious memory corruption occurring.  Specifically,
when a C++ method is run, it's own "this" variable appears to be corrupt.  In any 
case, I don't have time to debug it now, but perhaps someone else knows of an easy 
fix.  I get the same behavior on two separate machines, one a 32-bit AMD system, 
and another which is a 32 bit Intel-based Mac.

Notably, this crash doesn't occur for me if I run the second cryptcat instance like:

  echo test | cryptcat 127.0.0.1 11223

This indicates to me that an overflow of some kind could be occurring.  Be sure
to test using large files to trigger it.



-- System Information:
Debian Release: lenny/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: i386 (i686)

Kernel: Linux 2.6.20
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)
Shell: /bin/sh linked to /bin/dash

Versions of packages cryptcat depends on:
ii  libc6                   2.5-10           GNU C Library: Shared libraries
ii  libgcc1                 1:4.2-20070528-1 GCC support library
ii  libstdc++6              4.2-20070528-1   The GNU Standard C++ Library v3

cryptcat recommends no packages.

-- no debconf information



Information forwarded to debian-bugs-dist@lists.debian.org, Lars Bahner <bahner@debian.org>:
Bug#431010; Package cryptcat. Full text and rfc822 format available.

Acknowledgement sent to Tim <tim-debian@sentinelchicken.org>:
Extra info received and forwarded to list. Copy sent to Lars Bahner <bahner@debian.org>. Full text and rfc822 format available.

Message #10 received at 431010@bugs.debian.org (full text, mbox):

From: Tim <tim-debian@sentinelchicken.org>
To: 431010@bugs.debian.org
Subject: segfault in upstream as well
Date: Thu, 28 Jun 2007 16:15:11 -0400
I'd also like to add that I've tested the newer upstream version (1.2.1)
and it also exhibits this problem.

tim



Bug marked as found in version 20031202-2. Request was from Don Armstrong <don@donarmstrong.com> to control@bugs.debian.org. (Sat, 30 Jun 2007 14:00:07 GMT) Full text and rfc822 format available.

Bug marked as not found in version 20031202-2+b1. Request was from Don Armstrong <don@donarmstrong.com> to control@bugs.debian.org. (Sat, 30 Jun 2007 14:24:02 GMT) Full text and rfc822 format available.

Tags added: lenny, sid Request was from Lars Bahner <bahner@debian.org> to control@bugs.debian.org. (Tue, 03 Jul 2007 11:30:03 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Lars Bahner <bahner@debian.org>:
Bug#431010; Package cryptcat. Full text and rfc822 format available.

Acknowledgement sent to niek linnenbank <niek.linnenbank@planet.nl>:
Extra info received and forwarded to list. Copy sent to Lars Bahner <bahner@debian.org>. Full text and rfc822 format available.

Message #21 received at 431010@bugs.debian.org (full text, mbox):

From: niek linnenbank <niek.linnenbank@planet.nl>
To: 431010@bugs.debian.org
Subject: cryptcat patch for farm9crypt_read()
Date: Fri, 10 Aug 2007 18:22:59 +0200
[Message part 1 (text/plain, inline)]
Good day,

I think I found the problem of this bug. There is an overflow bug in 
farm9crypt_read() in farm9crypt.cc, which
is triggered when a message larger than 8192 bytes is received by cryptcat.

The received message will overwrite the decryptor pointer, also declared in
farm9crypt.cc, which is used to decrypt an incoming message:

farm9crypt.cc:60:

    static TwoFish* decryptor = NULL;

To reproduce, start listening with a cryptcat:

    $ cryptcat -l -p 12345 > received.bin

Then send big file with another cryptcat to the listening cryptcat:

    $ perl -e 'print "A"x(1024000*20)' > BIGFILE
    $ cat received.bin | cryptcat 127.0.0.1 12345

The following gdb output illustrates the overflow:

    debianvm:/tmp# gdb ./cryptcat 
    GNU gdb 6.6-debian
    Copyright (C) 2006 Free Software Foundation, Inc.
    GDB is free software, covered by the GNU General Public License, and you 
are
    welcome to change it and/or distribute copies of it under certain 
conditions.
    Type "show copying" to see the conditions.
    There is absolutely no warranty for GDB.  Type "show warranty" for 
details.
    This GDB was configured as "i486-linux-gnu"...
    Using host libthread_db library "/lib/i686/cmov/libthread_db.so.1".
    (gdb) run -l -p 12345
    Starting program: /tmp/cryptcat -l -p 12345
    Failed to read a valid object file image from memory.
    
    Program received signal SIGSEGV, Segmentation fault.
    0x0804d7eb in TwoFish::flush (this=0x41414141) at twofish2.cc:538
    538         if ( qBlockDefined ) {
    Current language:  auto; currently c++
    (gdb) up
    #1  0x0804bebe in farm9crypt_read (sockfd=9, 
        
buf=0x8057040 "Pv\026\236Ʀ�\226���c�3���\031�f�\037\230}�H�%�\t\022D127.0.0.1", 
size=8192) at farm9crypt.cc:155
        155             decryptor->flush();
    (gdb) print &decryptor
        $1 = (TwoFish **) 0x8051544
    (gdb) print decryptor
        $2 = (TwoFish *) 0x41414141
    (gdb) x/50x 0x8051540
        0x8051540 <outBuffer+8192>:     0x41414141      0x41414141      
0x41414141      0x41414141
        0x8051550:      0x00000000      0x00000000      0x00000000      
0x00000000

The cause of the problem, is that at the beginning of outBuffer, 32 bytes are 
written prior to the received message,
but are not calculated in the bounds checking, resulting in a overflow. To 
solve the problem, we need to increase both inBuffer and outBuffer with 32 
bytes, to create sufficient space:

farm9crypt.cc:107:

    static char outBuffer[8193 + 32];
    static char inBuffer[8193 + 32];

After applying this patch, I can send big files with cryptcat:

    $ cat BIGFILE | ./cryptcat 127.0.0.1 12345
    $ md5sum BIGFILE
    0ba1e0140c7668ccacb6e16ec159e8ac  BIGFILE

Another shell:

    $ ./cryptcat -l -p 12345 > myfile
    $ md5sum myfile
    0ba1e0140c7668ccacb6e16ec159e8ac  myfile
    
I have attached the .diff file to fix the bug, apply it with:

    patch -p0 < cryptcat-farm9crypt_read-patch.diff

Niek Linnenbank
[cryptcat-farm9crypt_read-patch.diff (text/x-diff, attachment)]

Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#431010; Package cryptcat. Full text and rfc822 format available.

Acknowledgement sent to Lars Bahner <bahner@debian.org>:
Extra info received and forwarded to list. Full text and rfc822 format available.

Message #26 received at 431010@bugs.debian.org (full text, mbox):

From: Lars Bahner <bahner@debian.org>
To: niek linnenbank <niek.linnenbank@planet.nl>, 431010@bugs.debian.org
Subject: Re: Bug#431010: cryptcat patch for farm9crypt_read()
Date: Mon, 27 Aug 2007 08:54:06 +0200
Thank you,

I will have your patch verified and incorporate it.

It is probably about time to fork of  cryptcat, I think. Any name
suggestions?

Kind regards,
Lars Bahner

On Fri, Aug 10, 2007 at 06:22:59PM +0200, niek linnenbank wrote:
> Good day,
> 
> I think I found the problem of this bug. There is an overflow bug in 
> farm9crypt_read() in farm9crypt.cc, which
> is triggered when a message larger than 8192 bytes is received by cryptcat.
> 
> The received message will overwrite the decryptor pointer, also declared in
> farm9crypt.cc, which is used to decrypt an incoming message:
> 



Information forwarded to debian-bugs-dist@lists.debian.org, Lars Bahner <bahner@debian.org>:
Bug#431010; Package cryptcat. Full text and rfc822 format available.

Acknowledgement sent to niek linnenbank <niek.linnenbank@planet.nl>:
Extra info received and forwarded to list. Copy sent to Lars Bahner <bahner@debian.org>. Full text and rfc822 format available.

Message #31 received at 431010@bugs.debian.org (full text, mbox):

From: niek linnenbank <niek.linnenbank@planet.nl>
To: Lars Bahner <bahner@debian.org>, 431010@bugs.debian.org
Subject: Re: Bug#431010: cryptcat patch for farm9crypt_read()
Date: Wed, 29 Aug 2007 12:41:28 +0200
Hi,

Thanks for your reply.

I'm not that creative with names, but if you are going to fork it, you
could call it e.g. fishcat, because it uses the twofish cipher.

Niek Linnenbank

On Monday 27 August 2007 08:54, Lars Bahner wrote:
> Thank you,
>
> I will have your patch verified and incorporate it.
>
> It is probably about time to fork of  cryptcat, I think. Any name
> suggestions?
>
> Kind regards,
> Lars Bahner
>
> On Fri, Aug 10, 2007 at 06:22:59PM +0200, niek linnenbank wrote:
> > Good day,
> >
> > I think I found the problem of this bug. There is an overflow bug in
> > farm9crypt_read() in farm9crypt.cc, which
> > is triggered when a message larger than 8192 bytes is received by
> > cryptcat.
> >
> > The received message will overwrite the decryptor pointer, also declared
> > in farm9crypt.cc, which is used to decrypt an incoming message:



Information forwarded to debian-bugs-dist@lists.debian.org, Lars Bahner <bahner@debian.org>:
Bug#431010; Package cryptcat. Full text and rfc822 format available.

Acknowledgement sent to Lars Bahner <bahner@linpro.no>:
Extra info received and forwarded to list. Copy sent to Lars Bahner <bahner@debian.org>. Full text and rfc822 format available.

Message #36 received at 431010@bugs.debian.org (full text, mbox):

From: Lars Bahner <bahner@linpro.no>
To: niek linnenbank <niek.linnenbank@planet.nl>, 431010@bugs.debian.org
Subject: Re: Bug#431010: cryptcat patch for farm9crypt_read()
Date: Thu, 30 Aug 2007 17:02:24 +0200
[Message part 1 (text/plain, inline)]
On Wed, Aug 29, 2007 at 12:41:28PM +0200, niek linnenbank wrote:
> Hi,
> 
> Thanks for your reply.
> 
> I'm not that creative with names, but if you are going to fork it, you
> could call it e.g. fishcat, because it uses the twofish cipher.

Or plainly catfish :)
-- 
Lars Bahner, system consultant
Linpro AS - http://www.linpro.no/
Phone: (+47) 21 54 41 34; GPG: 0xBA16087C
Nihil est sine ratione, cur potius sit quam non sit.
[signature.asc (application/pgp-signature, inline)]

Noted your statement that Bug has been forwarded to http://sourceforge.net/tracker/index.php?func=detail&aid=1837984&group_id=11983&atid=111983. Request was from Paul Wise <pabs@debian.org> to control@bugs.debian.org. (Sun, 25 Nov 2007 08:54:42 GMT) Full text and rfc822 format available.

Tags added: patch Request was from Paul Wise <pabs@debian.org> to control@bugs.debian.org. (Sun, 25 Nov 2007 08:57:03 GMT) Full text and rfc822 format available.

Tags added: pending Request was from Paul Wise <pabs@debian.org> to control@bugs.debian.org. (Sun, 25 Nov 2007 09:24:06 GMT) Full text and rfc822 format available.

Reply sent to Paul Wise <pabs@debian.org>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Tim <tim-debian@sentinelchicken.org>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #47 received at 431010-close@bugs.debian.org (full text, mbox):

From: Paul Wise <pabs@debian.org>
To: 431010-close@bugs.debian.org
Subject: Bug#431010: fixed in cryptcat 20031202-2.1
Date: Sun, 25 Nov 2007 09:47:02 +0000
Source: cryptcat
Source-Version: 20031202-2.1

We believe that the bug you reported is fixed in the latest version of
cryptcat, which is due to be installed in the Debian FTP archive:

cryptcat_20031202-2.1.diff.gz
  to pool/main/c/cryptcat/cryptcat_20031202-2.1.diff.gz
cryptcat_20031202-2.1.dsc
  to pool/main/c/cryptcat/cryptcat_20031202-2.1.dsc
cryptcat_20031202-2.1_i386.deb
  to pool/main/c/cryptcat/cryptcat_20031202-2.1_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 431010@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Paul Wise <pabs@debian.org> (supplier of updated cryptcat package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Sun, 25 Nov 2007 18:56:00 +0930
Source: cryptcat
Binary: cryptcat
Architecture: source i386
Version: 20031202-2.1
Distribution: unstable
Urgency: low
Maintainer: Lars Bahner <bahner@debian.org>
Changed-By: Paul Wise <pabs@debian.org>
Description: 
 cryptcat   - TCP/IP swiss army knife extended with twofish encryption
Closes: 431010
Changes: 
 cryptcat (20031202-2.1) unstable; urgency=low
 .
   * Non-maintainer upload.
   * Fix segfault in listen mode (Closes: #431010)
Files: 
 7d8550ffceae3c3ade2754167d59af88 583 net optional cryptcat_20031202-2.1.dsc
 2a839e14754aebe4da09b5476bda127b 4935 net optional cryptcat_20031202-2.1.diff.gz
 5e09b806298d623367498f0ded05c1d6 46424 net optional cryptcat_20031202-2.1_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFHST/05Sc9mGvjxCMRAquhAKDDSpA+bFbHWHRQfAlOgwamg2Zg/gCfTzIW
fNxI6EFfKryGVjgWIC1+9QY=
=9hGV
-----END PGP SIGNATURE-----





Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Mon, 16 Mar 2009 07:47:03 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Thu Apr 24 21:49:33 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.