|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
rwhod buffer overflow
David J. Meltzer (davem
iss.net)Wed, 21 Aug 1996 16:38:57 -0400
- Messages sorted by: [ date ][ thread ][ subject ][ author ]
- Next message: CERT Bulletin: "CERT Vendor-Initiated Bulletin VB-96.14 - SGI"
- Previous message: Zygo Blaxell: "Re: [linux-security] Re: Possible bufferoverflow condition in"
- In reply to: David Holland: "Linux NetKit-B update."
- Next in thread: David Holland: "Re: rwhod buffer overflow"
There is a remote buffer overflow in the path variable in rwhod.c in the
line: (void) sprintf(path, "whod.%s", wd.wd_hostname);
Although wd_hostname is defined to be only 32 characters, it is read as
part of the wd structure from a remote host through a UDP packet and can
be as large as the remainder of the structure starting at that point.
Through examining the source this appears to be a problem in current
OpenBSD, NetBSD, FreeBSD, and Linux distributions. Through penetration
testing I have also found this problem present on AIX; I have not examined
other platforms running rwhod and so do not know about their potential
vulnerability.
I have succesfully exploited this remotely to produce undesirable effects
(segfaults and overwriting argv[0] on different OSes), I have not spent
sufficient time on this to determine exactly how/if to compromise root
directly with this overflow, but it is definitely something that should be
corrected.
I would suggest prior to the sprintf line you add something to the effect:
if(strlen(wd.wd_hostname) >= sizeof(wd.wd_hostname)) {
syslog(LOG_WARNING, "possible hostname overflow attack apparently from %x",
from.sin_addr);
continue;
}
Program: /usr/sbin/rwhod
Affected Operating Systems: OpenBSD, NetBSD, FreeBSD, Linux, AIX, others.
rwhod must be running on the system
Requirements: Ability to send UDP packet to target host
Security Compromise: Possible denial of service, Possible annoyance,
Possibly root compromise?
Author: Dave M. (davemiss.net)
Synopsis: rwhod reads a structure from a udp packet and
does not check the hostname member of the
structure for being the expected size.
--------------------------------+---------------------
David J. Meltzer | Email: davemiss.net
Systems Engineer | Web: www.iss.net
Internet Security Systems, Inc. | Fax: (404)252-2427
--------------------------------+---------------------
David J. Meltzer | Email: davemiss.net
Systems Engineer | Web: www.iss.net
Internet Security Systems, Inc. | Fax: (404)252-2427
- Next message: CERT Bulletin: "CERT Vendor-Initiated Bulletin VB-96.14 - SGI"
- Previous message: Zygo Blaxell: "Re: [linux-security] Re: Possible bufferoverflow condition in"
- In reply to: David Holland: "Linux NetKit-B update."
- Next in thread: David Holland: "Re: rwhod buffer overflow"