Bugtraq mailing list archives
Re: possible lpd remote vulnerability
From: cyber () DIS ORG (Evil Erik)
Date: Sat, 30 Nov 1996 12:39:46 -0800
] Howdy, ] ] I was looking through lpd sources and noticed something that can actually be ] a remote vulnerability in lpd, allowing for stack overflow and thus ] arbitrary machine code execution. The piece of code that I'm suspicios ] about is ] ] lpd.c, line 463 ] hp = gethostbyaddr((char *)&f->sin_addr, ] sizeof(struct in_addr), f->sin_family); ] if (hp == 0) ] fatal("Host name for your address (%s) unknown", ] inet_ntoa(f->sin_addr)); ] ] strcpy(fromb, hp->h_name); ] from = fromb; <snip> ] after a call to gethostbyaddr() h_name, i.e. hostname of the remote machine, ] is copied first to fromb then to ahost without checking for length. <snip> ] The code I was looking at was obtained from Debian Linux distribution ] sources, lpd version is 5.19. But I suspect that all lpd's around that are ] derived from BSD lpd have this piece of code, including commercial Unices. ] ] Can somebody confirm this or show that I'm wrong? I can then make a ] summary. This is from NetBSD-current : /* $NetBSD: lpd.c,v 1.8 1996/09/21 15:57:22 perry Exp $ */ Earlier version may be fixed, but without CVS access i cant tell. lpd.c, line 482: hp = gethostbyaddr((char *)&f->sin_addr, sizeof(struct in_addr), f->sin_family); if (hp == NULL) fatal("Host name for your address (%s) unknown", inet_ntoa(f->sin_addr)); (void) strncpy(fromb, hp->h_name, sizeof(fromb)); from[sizeof(fromb) - 1] = '\0'; from = fromb; -=erik.
Current thread:
- Re: A security issue of a different kind. Alan Brown (Nov 29)
- Re: A security issue of a different kind. Alan Brown (Nov 29)
- Re: A security issue of a different kind. Theo Van Dinter (Nov 29)
- possible lpd remote vulnerability Yuri Volobuev (Nov 30)
- Re: possible lpd remote vulnerability Evil Erik (Nov 30)
- possible lpd remote vulnerability Scriptors of DOOM (Nov 30)
- XFree86 3.2 Aleph One (Nov 30)
- Re: A security issue of a different kind. Alan Brown (Nov 29)
- Re: A security issue of a different kind. Alan Brown (Nov 29)