Overflow in tcplog.c (VD#3)

[BlueBoar () THIEVCO COM (Blue Boar)]

-------------------------------------------------------------------
Periodically, the moderator of of the vuln-dev mailing list will post
summaries of issues discussed there to Bugtraq and possibly other relevant
lists.  This will usually happen when an issue has been resolved, or it
appears that there will be no further discussion on vuln-dev.  Each
separate issue will be given it's own posting to facilitate referencing
them separately, for discussion, forwarding, or appearance in vulnerability
databases.

To subscribe to vuln-dev, send an e-mail to listserv () securityfocus com,
with the word SUBSCRIBE in the body of the message.

A FAQ and archive can be found at www.securityfocus.com-->forums-->vuln-dev
(click on these sections, the web pages are forms-based.)
-------------------------------------------------------------------

Problem description follows.  A "documentation" fix has been made,
reference:
http://www.securityfocus.com/templates/archive.pike?list=82&date=1999-10-8&msg=3805060A.7AE54AB () isc org

From:
http://www.securityfocus.com/templates/archive.pike?list=82&date=1999-10-8&msg=199910091022.LAA02585 () notatla demon 
co uk

To:           Exploit-Dev
Subject:      2 dodgy network programs
Date:         Sat Oct 09 1999 04:22:02
Author:       Antonomasia
Message-ID:   <199910091022.LAA02585 () notatla demon co uk>

I was just visiting  http://www.echelon.wiretapped.net and downloaded a
small file called "tcplog.c" with no author or version stated.  It is for
logging connections to your box (linux only).

There are some minor coding gripes I could make, but line 107
takes a risk with the size of a hostname

    98  char *hostlookup(unsigned long int in)
    99  {
   100     static char blah[1024];
   101     struct in_addr i;
   102     struct hostent *he;
   103
   104     i.s_addr=in;
   105     he=gethostbyaddr((char *)&i, sizeof(struct in_addr),AF_INET);
   106     if(he == NULL) strcpy(blah, inet_ntoa(i));
   107     else strcpy(blah, he->h_name);
   108     return blah;
   109  }

Also I want to mention DeleGate-5.9.3 (at www.echelon.wiretapped.net and
elsewhere, in versions for Linux, AIX etc).
Luc Stepniewski <lstep () mail dotcom fr> drew attention to this in April 1999
for having very many string operations without bounds checking.
Although I made it dump core

   #0  0x40058cf3 in ?? () from /lib/libc.so.6
   (gdb) bt
   #0  0x40058cf3 in ?? () from /lib/libc.so.6
   #1  0x8103b80 in RES_matchLine (
       what=0x41414141 <Address 0x41414141 out of bounds>,
byname=1094795585,
       name=0x41414141 <Address 0x41414141 out of bounds>,
       line=0x41414141 <Address 0x41414141 out of bounds>, rv=0x41414141,
       rb=0x41414141 <Address 0x41414141 out of bounds>,
       cname=0x41414141 <Address 0x41414141 out of bounds>) at
reshost.c:461
   #2  0x41414141 in ?? ()
   Cannot access memory at address 0x41414141.

when I came to convert this into an exploit I could not reproduce it.  I
told
Luc around April I was going to make a demo exploit but have never found
the
Time.  Will someone else take it on ?  DeleGate has pretentions to being
A security product and ought to set an example or be made one.
Luc and I both contacted the author in/before April.