OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Juan M. de la Torre (jmtorreaxiomasistemas.com)
Date: Thu Jan 03 2002 - 09:11:24 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

                  ----------------------------
                    Axioma Security Research
                        January 3, 2002
                        A D V I S O R Y
                     www.axiomasistemas.com
                  ----------------------------

    Platforms : All
                : Tested on Red Hat Linux 7.1

    Application : snmpnetstat from ucd-SNMP-4.2.3 (www.net-snmp.org)

    Impact : Remote access to the snmpnetstat client machine
     
     Overview
     --------

      snmpnetstat, a tool from ucd-snmp package, has a remotely exploitable
     heap overflow when parsing the server replies. A possible patch and a
     proof of concept exploit are attached.

      
     Vendor status
     -------------

      Contacted
      

     Details
     -------

      When snmpnetstat request the list of interfaces, it first allocs an
     array to hold all the structs, one for each interface fetched. Then, it
     sends a getnextrequest PDU to the server requesting ifindex, ifaddr and
     ifnetmask, and saves this values in the first null entry of the array.
     Then it sends another getnextrequest PDU requesting ifindex, and some
     other variables. If the ifindex value returned by server is different
     from the one previusly fetched, and the interface currently being scanned
     is the last, the memory located after the array will be overwritten with
     the variables returned by server, causing a heap overflow.

      The research team of Axioma Sistemas has been able to exploit this flaw,
     providing a default offset for redhat 7.1. See atached exploit.

      Axioma Sistemas is unaware at this time if previous versions of snmpnetstat
     are affected by the vulnerability described in this advisory, but probably
     are.

     Recommendations
     ---------------

      Apply the patch attached or upgrade to the next release of Net-SNMP when
     available

     Credits
     -------

      Axioma Security Research would like to thank Juan M. de la Torre
     (jmtorreaxiomasistemas.com) for discovering and researching this
     vulnerability

    -------------------
     About Axioma Sistemas

      Axioma is a leading security consultant for the Internet founded to help
     corporations to improve their network security. With penetration tests and
     a high level of security assessment, Axioma is able to give to comercial
     banks, telecommunication companies and much more customers, the security
     they need.

      

    • application/octet-stream attachment: snmp.diff
    • application/octet-stream attachment: snmpx.c