Intro:
rarpd is a reverse arp protocol for small to medium sized networks.
in the solaris implementation (in.rarpd) there seems to be 3 remotely
exploitable buffer overflows, 2 locally exploitable and 2 cases of format
string exploitability.

Details:
In the functions error and syserr (syserr also being used by other in.*
implmentations which are also exploitable, but not the topic of this
advisory today) there contains 2 common syslog calls without format strings.

static void
syserr(s)
char *s;
{
        char buf[256];

        (void) sprintf(buf, "%s: %s", s, strerror(errno));
        (void) fprintf(stderr, "%s: %s\n", cmdname, buf);
        syslog(LOG_ERR, buf);
        exit(1);
}

/* VARARGS1 */
static void
error(char *fmt, ...)
{
        char buf[256];
        va_list ap;

        va_start(ap, fmt);
        (void) vsprintf(buf, fmt, ap);
        va_end(ap);
        (void) fprintf(stderr, "%s: %s\n", cmdname, buf);
        syslog(LOG_ERR, buf);
        exit(1);
}

there are two vulnerable calls which could be exploited locally or remotely.

vendor notification: nope

a working exploit has been created for the remote buffer overflows but not
this time, not here.

DER systems

_________________________________________________________________
Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp.

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]