From: Ulf Härnhammar (Ulf.Harnhammar.9485student.uu.se)
Date: Thu Nov 11 2004 - 07:59:31 CST

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

* ez-ipupdate format string bug *

"ez-ipupdate is a quite complete client for the dynamic DNS service offered
by http://www.ez-ip.net/ and many more. Currently supported are: ez-ip
[..] , Penguinpowered [..] , DHS [..] , dynDNS [..] , ODS [..] , TZO [..] ,
EasyDNS [..] , Justlinux [..] , Dyns [..] , HN [..] , ZoneEdit [..] and
Hurricane Electric's IPv6 Tunnel Broker [..]. All services using GNUDip are
also supported."

(from packages.debian.org)

I have found a format string bug in ez-ipupdate. It affects at least the
versions 3.0.11b8, 3.0.11b7, 3.0.11b6, 3.0.11b5 and 3.0.10. It doesn't affect
2.9.6. The vulnerability has the identifier CAN-2004-0980.

The format string bug allows a malicious remote server to execute arbitrary
code on the machine running ez-ipupdate, if and only if daemon mode is on
(very common) and certain service types are used. I have attached a trivial
patch (against 3.0.11b8) that corrects this problem.

It proved to be impossible to contact upstream, as all his e-mail addresses
bounced. The Linux and *BSD vendors that distribute ez-ipupdate have been
contacted, but so far only Mandrakelinux and SUSE Linux have published
patched versions.

// Ulf Harnhammar http://www.advogato.org/person/metaur/
   for the
   Debian Security Audit Project http://www.debian.org/security/audit/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

• text/plain attachment: ez-ipupdate.formstring.patch

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]