OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: david evlis reign (davidreignhotmail.com)
Date: Tue May 21 2002 - 21:06:43 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    Intro:
    rarpd is a reverse arp protocol for small to medium sized networks.
    in the solaris implementation (in.rarpd) there seems to be 3 remotely
    exploitable buffer overflows, 2 locally exploitable and 2 cases of format
    string exploitability.

    Details:
    In the functions error and syserr (syserr also being used by other in.*
    implmentations which are also exploitable, but not the topic of this
    advisory today) there contains 2 common syslog calls without format strings.

    static void
    syserr(s)
    char *s;
    {
            char buf[256];

            (void) sprintf(buf, "%s: %s", s, strerror(errno));
            (void) fprintf(stderr, "%s: %s\n", cmdname, buf);
            syslog(LOG_ERR, buf);
            exit(1);
    }

    /* VARARGS1 */
    static void
    error(char *fmt, ...)
    {
            char buf[256];
            va_list ap;

            va_start(ap, fmt);
            (void) vsprintf(buf, fmt, ap);
            va_end(ap);
            (void) fprintf(stderr, "%s: %s\n", cmdname, buf);
            syslog(LOG_ERR, buf);
            exit(1);
    }

    there are two vulnerable calls which could be exploited locally or remotely.

    vendor notification: nope

    a working exploit has been created for the remote buffer overflows but not
    this time, not here.

    DER systems

    _________________________________________________________________
    Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp.