From owner-freebsd-security  Wed Aug 21 13:45:10 1996
Return-Path: owner-security
Received: (from root@localhost)
          by freefall.freebsd.org (8.7.5/8.7.3) id NAA25174
          for security-outgoing; Wed, 21 Aug 1996 13:45:10 -0700 (PDT)
Received: from phoenix.iss.net (phoenix.iss.net [204.241.60.5])
          by freefall.freebsd.org (8.7.5/8.7.3) with SMTP id NAA25165
          for <freebsd-security@freebsd.org>; Wed, 21 Aug 1996 13:45:03 -0700 (PDT)
Received: (from davem@localhost) by phoenix.iss.net (8.6.13/8.6.12) id QAA01683; Wed, 21 Aug 1996 16:39:01 -0400
Date: Wed, 21 Aug 1996 16:38:57 -0400 (EDT)
From: "David J. Meltzer" <davem@iss.net>
To: bugtraq@netspace.org, linux-security@tarsier.cv.nrao.edu,
        freebsd-security@freebsd.org, deraadt@theos.com
Subject: rwhod buffer overflow
In-Reply-To: <199607240541.BAA18220@hcs.HARVARD.EDU>
Message-ID: <Pine.LNX.3.91.960821154151.768A-100000@phoenix.iss.net>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-security@freebsd.org
X-Loop: FreeBSD.org
Precedence: bulk

There is a remote buffer overflow in the path variable in rwhod.c in the
line: (void) sprintf(path, "whod.%s", wd.wd_hostname);

Although wd_hostname is defined to be only 32 characters, it is read as 
part of the wd structure from a remote host through a UDP packet and can
be as large as the remainder of the structure starting at that point.

Through examining the source this appears to be a problem in current 
OpenBSD, NetBSD, FreeBSD, and Linux distributions.  Through penetration 
testing I have also found this problem present on AIX; I have not examined
other platforms running rwhod and so do not know about their potential 
vulnerability.

I have succesfully exploited this remotely to produce undesirable effects
(segfaults and overwriting argv[0] on different OSes), I have not spent 
sufficient time on this to determine exactly how/if to compromise root 
directly with this overflow, but it is definitely something that should be
corrected.

I would suggest prior to the sprintf line you add something to the effect:
if(strlen(wd.wd_hostname) >= sizeof(wd.wd_hostname)) {
  syslog(LOG_WARNING, "possible hostname overflow attack apparently from %x",
         from.sin_addr);
  continue;
  }

                   Program: /usr/sbin/rwhod
Affected Operating Systems: OpenBSD, NetBSD, FreeBSD, Linux, AIX, others.
                            rwhod must be running on the system
              Requirements: Ability to send UDP packet to target host
       Security Compromise: Possible denial of service, Possible annoyance,
                            Possibly root compromise?
                    Author: Dave M. (davem@iss.net)
                  Synopsis: rwhod reads a structure from a udp packet and
                            does not check the hostname member of the
                            structure for being the expected size.


--------------------------------+---------------------
       David J. Meltzer         | Email: davem@iss.net 
       Systems Engineer         |   Web:   www.iss.net 
Internet Security Systems, Inc. |   Fax: (404)252-2427





             



--------------------------------+---------------------
       David J. Meltzer         | Email: davem@iss.net 
       Systems Engineer         |   Web:   www.iss.net 
Internet Security Systems, Inc. |   Fax: (404)252-2427