Integer overflow in gopher daemon (gopherd) 3.0.3 allows remote attackers to cause a denial of service and possibly execute arbitrary code via crafted content of a certain size that triggers the overflow.
Gopherd, a legacy information retrieval protocol daemon, is vulnerable to an integer overflow, allowing remote attackers to trigger a denial-of-service (DoS) and potentially achieve remote code execution (RCE). This vulnerability stems from improper handling of content sizes, enabling attackers to craft malicious requests that overflow internal data structures. Successful exploitation could lead to system instability or complete compromise.
Step 1: Payload Delivery: An attacker crafts a malicious gopher request containing a specially crafted content size value.
Step 2: Request Processing: The gopherd daemon receives and parses the malicious request.
Step 3: Size Calculation: The daemon attempts to determine the size of the content based on the provided value. Due to the integer overflow, the calculated size is incorrect, often resulting in a small or negative value.
Step 4: Memory Allocation: The daemon allocates memory based on the incorrect size. This can lead to either an allocation of insufficient memory (leading to a buffer overflow) or an allocation of memory that is then used incorrectly.
Step 5: Data Corruption: The daemon attempts to write data to the allocated memory. Because of the incorrect size calculation, the write operation can overwrite adjacent memory regions, potentially corrupting critical data structures or code.
Step 6: Exploitation: The memory corruption can lead to a denial-of-service (DoS) by crashing the gopherd process. In some cases, it could be possible to overwrite function pointers or other critical data, leading to remote code execution (RCE).
The vulnerability lies within gopherd 3.0.3's handling of content size calculations. Specifically, the daemon fails to properly validate the size of incoming gopher content before allocating memory or performing operations that rely on this size. A crafted gopher request, containing a content size value that, when processed, results in an integer overflow, can lead to memory corruption. This overflow can overwrite critical data structures, leading to a crash (DoS) or, in a more severe scenario, the execution of arbitrary code. The root cause is the use of an integer type with insufficient range to represent the potentially large content size, combined with a lack of bounds checking. This allows an attacker to provide a size value that, when used in calculations, wraps around to a small or negative value, leading to incorrect memory allocation and subsequent exploitation.