Good day,
I think I found the problem of this bug. There is an overflow bug in
farm9crypt_read() in farm9crypt.cc, which
is triggered when a message larger than 8192 bytes is received by cryptcat.
The received message will overwrite the decryptor pointer, also declared in
farm9crypt.cc, which is used to decrypt an incoming message:
farm9crypt.cc:60:
static TwoFish* decryptor = NULL;
To reproduce, start listening with a cryptcat:
$ cryptcat -l -p 12345 > received.bin
Then send big file with another cryptcat to the listening cryptcat:
$ perl -e 'print "A"x(1024000*20)' > BIGFILE
$ cat received.bin | cryptcat 127.0.0.1 12345
The following gdb output illustrates the overflow:
debianvm:/tmp# gdb ./cryptcat
GNU gdb 6.6-debian
Copyright (C) 2006 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you
are
welcome to change it and/or distribute copies of it under certain
conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB. Type "show warranty" for
details.
This GDB was configured as "i486-linux-gnu"...
Using host libthread_db library "/lib/i686/cmov/libthread_db.so.1".
(gdb) run -l -p 12345
Starting program: /tmp/cryptcat -l -p 12345
Failed to read a valid object file image from memory.
Program received signal SIGSEGV, Segmentation fault.
0x0804d7eb in TwoFish::flush (this=0x41414141) at twofish2.cc:538
538 if ( qBlockDefined ) {
Current language: auto; currently c++
(gdb) up
#1 0x0804bebe in farm9crypt_read (sockfd=9,
buf=0x8057040 "Pv\026\236Ʀ�\226���c�3���\031�f�\037\230}�H�%�\t\022D127.0.0.1",
size=8192) at farm9crypt.cc:155
155 decryptor->flush();
(gdb) print &decryptor
$1 = (TwoFish **) 0x8051544
(gdb) print decryptor
$2 = (TwoFish *) 0x41414141
(gdb) x/50x 0x8051540
0x8051540 <outBuffer+8192>: 0x41414141 0x41414141
0x41414141 0x41414141
0x8051550: 0x00000000 0x00000000 0x00000000
0x00000000
The cause of the problem, is that at the beginning of outBuffer, 32 bytes are
written prior to the received message,
but are not calculated in the bounds checking, resulting in a overflow. To
solve the problem, we need to increase both inBuffer and outBuffer with 32
bytes, to create sufficient space:
farm9crypt.cc:107:
static char outBuffer[8193 + 32];
static char inBuffer[8193 + 32];
After applying this patch, I can send big files with cryptcat:
$ cat BIGFILE | ./cryptcat 127.0.0.1 12345
$ md5sum BIGFILE
0ba1e0140c7668ccacb6e16ec159e8ac BIGFILE
Another shell:
$ ./cryptcat -l -p 12345 > myfile
$ md5sum myfile
0ba1e0140c7668ccacb6e16ec159e8ac myfile
I have attached the .diff file to fix the bug, apply it with:
patch -p0 < cryptcat-farm9crypt_read-patch.diff
Niek Linnenbank
--- ../cryptcat-20031202/farm9crypt.cc 2007-08-09 23:21:56.000000000 -0500
+++ farm9crypt.cc 2007-08-09 22:38:51.000000000 -0500
@@ -104,8 +104,8 @@ extern "C" void farm9crypt_init( char* k
*
* Parameters same as "recv"
*/
-static char outBuffer[8193];
-static char inBuffer[8193];
+static char outBuffer[8193 + 32];
+static char inBuffer[8193 + 32];
extern "C" int farm9crypt_read( int sockfd, char* buf, int size ) {
int total = 0;
