Bugtraq mailing list archives
rwhod buffer overflow
From: davem () iss net (David J. Meltzer)
Date: Wed, 21 Aug 1996 16:38:57 -0400
There is a remote buffer overflow in the path variable in rwhod.c in the line: (void) sprintf(path, "whod.%s", wd.wd_hostname); Although wd_hostname is defined to be only 32 characters, it is read as part of the wd structure from a remote host through a UDP packet and can be as large as the remainder of the structure starting at that point. Through examining the source this appears to be a problem in current OpenBSD, NetBSD, FreeBSD, and Linux distributions. Through penetration testing I have also found this problem present on AIX; I have not examined other platforms running rwhod and so do not know about their potential vulnerability. I have succesfully exploited this remotely to produce undesirable effects (segfaults and overwriting argv[0] on different OSes), I have not spent sufficient time on this to determine exactly how/if to compromise root directly with this overflow, but it is definitely something that should be corrected. I would suggest prior to the sprintf line you add something to the effect: if(strlen(wd.wd_hostname) >= sizeof(wd.wd_hostname)) { syslog(LOG_WARNING, "possible hostname overflow attack apparently from %x", from.sin_addr); continue; } Program: /usr/sbin/rwhod Affected Operating Systems: OpenBSD, NetBSD, FreeBSD, Linux, AIX, others. rwhod must be running on the system Requirements: Ability to send UDP packet to target host Security Compromise: Possible denial of service, Possible annoyance, Possibly root compromise? Author: Dave M. (davem () iss net) Synopsis: rwhod reads a structure from a udp packet and does not check the hostname member of the structure for being the expected size. --------------------------------+--------------------- David J. Meltzer | Email: davem () iss net Systems Engineer | Web: www.iss.net Internet Security Systems, Inc. | Fax: (404)252-2427 --------------------------------+--------------------- David J. Meltzer | Email: davem () iss net Systems Engineer | Web: www.iss.net Internet Security Systems, Inc. | Fax: (404)252-2427
Current thread:
- rwhod buffer overflow David J. Meltzer (Aug 21)
- <Possible follow-ups>
- Re: rwhod buffer overflow David Holland (Aug 21)
- Re: rwhod buffer overflow Stuart Beck (Aug 21)