Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > Vuln-Dev> 1999-q4

Exploit-Dev Archives: 2 dodgy network programs

2 dodgy network programs

Antonomasia (antNOTATLA.DEMON.CO.UK)
Sat, 9 Oct 1999 11:22:02 +0100

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Next message: Todd Sabin: "Re: NT SysKey should be breakable"
Previous message: Mikael Olsson: "Re: NT SysKey should be breakable"
Next in thread: Nick 'Zaf' Clifford: "Re: 2 dodgy network programs"
Reply: Nick 'Zaf' Clifford: "Re: 2 dodgy network programs"
Reply: David R. Conrad: "Re: 2 dodgy network programs"

I was just visiting http://www.echelon.wiretapped.net and downloaded a
small file called "tcplog.c" with no author or version stated. It is for
logging connections to your box (linux only).

There are some minor coding gripes I could make, but line 107
takes a risk with the size of a hostname

    98 char *hostlookup(unsigned long int in)
    99 {
   100 static char blah[1024];
   101 struct in_addr i;
   102 struct hostent *he;
   103
   104 i.s_addr=in;
   105 he=gethostbyaddr((char *)&i, sizeof(struct in_addr),AF_INET);
   106 if(he == NULL) strcpy(blah, inet_ntoa(i));
   107 else strcpy(blah, he->h_name);
   108 return blah;
   109 }

Also I want to mention DeleGate-5.9.3 (at www.echelon.wiretapped.net and
elsewhere, in versions for Linux, AIX etc).
Luc Stepniewski <lstepmail.dotcom.fr> drew attention to this in April 1999
for having very many string operations without bounds checking.
Although I made it dump core

   #0 0x40058cf3 in ?? () from /lib/libc.so.6
   (gdb) bt
   #0 0x40058cf3 in ?? () from /lib/libc.so.6
   #1 0x8103b80 in RES_matchLine (
       what=0x41414141 <Address 0x41414141 out of bounds>, byname=1094795585,
       name=0x41414141 <Address 0x41414141 out of bounds>,
       line=0x41414141 <Address 0x41414141 out of bounds>, rv=0x41414141,
       rb=0x41414141 <Address 0x41414141 out of bounds>,
       cname=0x41414141 <Address 0x41414141 out of bounds>) at reshost.c:461
   #2 0x41414141 in ?? ()
   Cannot access memory at address 0x41414141.

when I came to convert this into an exploit I could not reproduce it. I told
Luc around April I was going to make a demo exploit but have never found the
Time. Will someone else take it on ? DeleGate has pretentions to being
A security product and ought to set an example or be made one.
Luc and I both contacted the author in/before April.

--
##############################################################
# Antonomasia   antnotatla.demon.co.uk                      #
# See http://www.notatla.demon.co.uk/                        #
##############################################################

Next message: Todd Sabin: "Re: NT SysKey should be breakable"
Previous message: Mikael Olsson: "Re: NT SysKey should be breakable"
Next in thread: Nick 'Zaf' Clifford: "Re: 2 dodgy network programs"
Reply: Nick 'Zaf' Clifford: "Re: 2 dodgy network programs"
Reply: David R. Conrad: "Re: 2 dodgy network programs"

This archive was generated by hypermail 2.0b3 on Sat Oct 09 1999 - 11:04:36 CDT