Bugtraq mailing list archives

Re: bootpd remote vulnerability

From: jmcdonal () UNF EDU (John McDonald)
Date: Mon, 7 Dec 1998 09:43:42 -0500


On Sat, 5 Dec 1998, Crispin Cowan wrote:

Is Linux not vulnerable for some systemic reason, or because the distributed
bootp doesn't have the vulnerability?

Thanks,
    Crispin


I looked at Linux a while ago, so this is a somewhat vague memory. I
believe I looked at a stable debian release (non-glibc), an older
slackware version, freebsd 2.2.5, and freebsd 2.2.2. I apologize for my
lack of memory.

Anyway, I believe in all of these systems, the vulnerability was present,
but it was not exploitable. The values in memory after the hwinfolist
table were either too small to overwrite enough of the stack, or so large
that they caused a seg fault. I remember there were some appropriate
values in some cases, but they were over 255, and the value in memory that
would correspond with their description was not a valid deferencable
pointer. Thus, the warning that bootpd prints out would cause a bus error.

horizon

Current thread:

bootpd remote vulnerability John McDonald (Dec 04)
- hping, a tcp pinger antirez (Nov 30)
- Re: bootpd remote vulnerability Irwin Tillman (Dec 04)
- <Possible follow-ups>
- Re: bootpd remote vulnerability Crispin Cowan (Dec 05)
  - Cheops Mark Spencer (Dec 07)
  - Re: bootpd remote vulnerability John McDonald (Dec 07)
  - Security Bulletins Digest (fwd) Patrick Oonk (Dec 07)