OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: evil statd function
From: lamonticopyright.com
Date: Thu Jun 29 2000 - 12:51:59 CDT

grepping through the redhat sources for nfs-utils-0.1.6 i found this:

/*
 * Write the _msgout function
 */
void
write_msg_out(void)
{
        f_print(fout, "\n");
        f_print(fout, "static\n");
        if( !Cflag ) {
          f_print(fout, "void _msgout(msg)\n");
          f_print(fout, "\tchar *msg;\n");
        } else {
          f_print(fout, "void _msgout(char* msg)\n");
        }
        f_print(fout, "{\n");
        f_print(fout, "#ifdef RPC_SVC_FG\n");
        if (inetdflag || pmflag)
                f_print(fout, "\tif (_rpcpmstart)\n");
        f_print(fout, "\t\tsyslog(LOG_ERR, msg);\n");
        f_print(fout, "\telse\n");
        f_print(fout, "\t\t(void) fprintf(stderr, \"%%s\\n\", msg);\n");
        f_print(fout, "#else\n");
        f_print(fout, "\tsyslog(LOG_ERR, msg);\n");
        f_print(fout, "#endif\n");
        f_print(fout, "}\n");
}

It looks like rpcgen is compiled during the build, then called to create
the file statd/sm_inter_src.c which sure enough looks like:

static
void _msgout(msg)
        char *msg;
{
#ifdef RPC_SVC_FG
        if (_rpcpmstart)
                syslog(LOG_ERR, msg);
        else
                (void) fprintf(stderr, "%s\n", msg);
#else
        syslog(LOG_ERR, msg);
#endif
}

But the only place I can find a call to _msgout() is here:

_msgout("unable to free arguments");

So, it doesn't appear to be exploitable. Yet. Still needs to get fixed.