Followup indicates that this will be fixed in NetKit-B 0.08, so we
should update to that ASAP.
------- start of forwarded message (RFC 934 encapsulation) -------
Return-Path: [EMAIL PROTECTED]
Received: from brimstone.netspace.org ([128.148.157.143]) by
nessie.crosslink.net (8.7.5/8.7.3) with ESMTP id RAA13920 for <[EMAIL
PROTECTED]>; Wed, 21 Aug 1996 17:58:36 -0400
Received: from netspace.org ([128.148.157.6]) by brimstone.netspace.org with
ESMTP id <24582-5637>; Wed, 21 Aug 1996 17:56:56 -0500
Received: from netspace.org (netspace [128.148.157.6]) by netspace.org
(8.7/8.6.12) with SMTP id RAA21187; Wed, 21 Aug 1996 17:57:22 -0400
Received: from NETSPACE.ORG by NETSPACE.ORG (LISTSERV-TCP/IP release 1.8b) with
spool id 284875 for [EMAIL PROTECTED]; Wed, 21 Aug 1996 17:55:32
-0400
Received: from netspace.org (netspace [128.148.157.6]) by netspace.org
(8.7/8.6.12) with SMTP id RAA19877 for <[EMAIL PROTECTED]>; Wed,
21 Aug 1996 17:42:38 -0400
Approved-By: [EMAIL PROTECTED]
Received: from phoenix.iss.net (phoenix.iss.net [204.241.60.5]) by netspace.org
(8.7/8.6.12) with SMTP id QAA14809 for <[EMAIL PROTECTED]>; Wed,
21 Aug 1996 16:45:46 -0400
Received: (from [EMAIL PROTECTED]) by phoenix.iss.net (8.6.13/8.6.12) id
QAA01683; Wed, 21 Aug 1996 16:39:01 -0400
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Approved-By: "David J. Meltzer" <[EMAIL PROTECTED]>
Message-ID: <[EMAIL PROTECTED]>
Reply-To: Bugtraq List <[EMAIL PROTECTED]>
X-To: [EMAIL PROTECTED], [EMAIL PROTECTED],
[EMAIL PROTECTED]
In-Reply-To: <[EMAIL PROTECTED]>
From: "David J. Meltzer" <[EMAIL PROTECTED]>
Sender: Bugtraq List <[EMAIL PROTECTED]>
To: Multiple recipients of list BUGTRAQ <[EMAIL PROTECTED]>
Subject: rwhod buffer overflow
Date: Wed, 21 Aug 1996 16:38:57 -0400
There is a remote buffer overflow in the path variable in rwhod.c in the
line: (void) sprintf(path, "whod.%s", wd.wd_hostname);
Although wd_hostname is defined to be only 32 characters, it is read as
part of the wd structure from a remote host through a UDP packet and can
be as large as the remainder of the structure starting at that point.
Through examining the source this appears to be a problem in current
OpenBSD, NetBSD, FreeBSD, and Linux distributions. Through penetration
testing I have also found this problem present on AIX; I have not examined
other platforms running rwhod and so do not know about their potential
vulnerability.
I have succesfully exploited this remotely to produce undesirable effects
(segfaults and overwriting argv[0] on different OSes), I have not spent
sufficient time on this to determine exactly how/if to compromise root
directly with this overflow, but it is definitely something that should be
corrected.
I would suggest prior to the sprintf line you add something to the effect:
if(strlen(wd.wd_hostname) >= sizeof(wd.wd_hostname)) {
syslog(LOG_WARNING, "possible hostname overflow attack apparently from %x",
from.sin_addr);
continue;
}
Program: /usr/sbin/rwhod
Affected Operating Systems: OpenBSD, NetBSD, FreeBSD, Linux, AIX, others.
rwhod must be running on the system
Requirements: Ability to send UDP packet to target host
Security Compromise: Possible denial of service, Possible annoyance,
Possibly root compromise?
Author: Dave M. ([EMAIL PROTECTED])
Synopsis: rwhod reads a structure from a udp packet and
does not check the hostname member of the
structure for being the expected size.
- --------------------------------+---------------------
David J. Meltzer | Email: [EMAIL PROTECTED]
Systems Engineer | Web: www.iss.net
Internet Security Systems, Inc. | Fax: (404)252-2427
- --------------------------------+---------------------
David J. Meltzer | Email: [EMAIL PROTECTED]
Systems Engineer | Web: www.iss.net
Internet Security Systems, Inc. | Fax: (404)252-2427
------- end -------
--
Shields, CrossLink.
