From owner-freebsd-security Wed Aug 21 19:12:45 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id TAA02086 for security-outgoing; Wed, 21 Aug 1996 19:12:45 -0700 (PDT) Received: from sparc.eunet.si (sparc.eunet.si [193.77.2.66]) by freefall.freebsd.org (8.7.5/8.7.3) with SMTP id TAA02081 for ; Wed, 21 Aug 1996 19:12:41 -0700 (PDT) Received: from FRAJER.nil.si (mail-gw.nil.si [193.77.3.74]) by sparc.eunet.si (8.6.8/8.7.3) with SMTP id EAA03742 for ; Thu, 22 Aug 1996 04:17:53 +0200 X-From: Received: from pdx1.world.net by mail-gw.nil.si (Promail gateway v1.4.1) with SMTP ; Thu, 22 Aug 96 04:12:20 -0400 Received: from suburbia.net (suburbia.net [203.4.184.1]) by pdx1.world.net (8.7.5/8.7.3) with ESMTP id TAA02686; Wed, 21 Aug 1996 19:13:20 -0700 (PDT) Received: (list@localhost) by suburbia.net (8.7.4/Proff-950810) id KAA30626; Thu, 22 Aug 1996 10:54:43 +1000 Resent-Date: Thu, 22 Aug 1996 10:54:43 +1000 Approved-By: ALEPH1@UNDERGROUND.ORG Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Approved-By: "David J. Meltzer" Message-Id: Date: Wed, 21 Aug 1996 16:38:57 -0400 Reply-To: Bugtraq List From: "David J. Meltzer" To: Multiple recipients of list BUGTRAQ In-Reply-To: <199607240541.BAA18220@hcs.HARVARD.EDU> Resent-Message-Id: <"yhhSK1.0.VU7.I_w6o"@suburbia> Resent-From: best-of-security@suburbia.net X-Mailing-List: archive/latest/243 X-Loop: best-of-security@suburbia.net Resent-Sender: best-of-security-request@suburbia.net Subject: BoS: rwhod buffer overflow Sender: owner-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk There is a remote buffer overflow in the path variable in rwhod.c in the line: (void) sprintf(path, "whod.%s", wd.wd_hostname); Although wd_hostname is defined to be only 32 characters, it is read as part of the wd structure from a remote host through a UDP packet and can be as large as the remainder of the structure starting at that point. Through examining the source this appears to be a problem in current OpenBSD, NetBSD, FreeBSD, and Linux distributions. Through penetration testing I have also found this problem present on AIX; I have not examined other platforms running rwhod and so do not know about their potential vulnerability. I have succesfully exploited this remotely to produce undesirable effects (segfaults and overwriting argv[0] on different OSes), I have not spent sufficient time on this to determine exactly how/if to compromise root directly with this overflow, but it is definitely something that should be corrected. I would suggest prior to the sprintf line you add something to the effect: if(strlen(wd.wd_hostname) >= sizeof(wd.wd_hostname)) { syslog(LOG_WARNING, "possible hostname overflow attack apparently from %x", from.sin_addr); continue; } Program: /usr/sbin/rwhod Affected Operating Systems: OpenBSD, NetBSD, FreeBSD, Linux, AIX, others. rwhod must be running on the system Requirements: Ability to send UDP packet to target host Security Compromise: Possible denial of service, Possible annoyance, Possibly root compromise? Author: Dave M. (davem@iss.net) Synopsis: rwhod reads a structure from a udp packet and does not check the hostname member of the structure for being the expected size. --------------------------------+--------------------- David J. Meltzer | Email: davem@iss.net Systems Engineer | Web: www.iss.net Internet Security Systems, Inc. | Fax: (404)252-2427 --------------------------------+--------------------- David J. Meltzer | Email: davem@iss.net Systems Engineer | Web: www.iss.net Internet Security Systems, Inc. | Fax: (404)252-2427