Bugtraq mailing list archives
OpenBSD 2.7 / NetBSD 1.4.2 mopd buffer overflow
From: Matt Power <mhpower () MIT EDU>
Date: Tue, 8 Aug 2000 03:48:04 -0400
The mopd (Maintenance Operations Protocol loader daemon) implementation in OpenBSD 2.7 and NetBSD 1.4.2 includes a step in which the daemon receives a file name from a client elsewhere on the network. I found one point at which the client can overflow a buffer in the server by sending a long file name. Also, I found two points at which the server uses the client-supplied file name directly as part of a format string in a syslog(3) function call (this is potentially problematic if the file name contains any % characters). I reported these issues to the OpenBSD and NetBSD security contact addresses at 00:04 UTC on 29 June 2000. I received a reply from the OpenBSD project at 00:15 UTC on 29 June, and a reply from the NetBSD Project at 03:05 UTC on 29 June. An OpenBSD 2.7 security advisory was issued on 5 July -- see http://www.openbsd.org/security.html#27 and its link to http://www.openbsd.org/errata.html#mopd (which references a patch for OpenBSD 2.7). Patches for NetBSD have also been written -- you may wish to look at http://cvsweb.netbsd.org/bsdweb.cgi/basesrc/usr.sbin/mopd/mopd/process.c There are other versions of mopd that you might possibly be using. Download locations include ftp://ftp.redhat.com/pub/redhat/powertools/6.2/i386/SRPMS/mopd-linux-2.5.3-4.src.rpm ftp://ftp.stacken.kth.se/pub/OS/NetBSD/mopd/mopd-linux-2.5.3.tar.gz ftp://linux-vax.sourceforge.net/pub/linux-vax/tools/misc/mopd-linux.tar.gz I suspect that currently all of these are vulnerable versions. To check for the buffer-overflow problem yourself, look at the function mopProcessDL in the file process.c. Older versions of the code declare a 17-character buffer named pfile, and rely directly on a value of tmpc (an unsigned char value obtained over the network from the client) to determine how much data to write into this buffer, regardless of whether the buffer is smaller than tmpc. To check for the syslog problem, look for "syslog(LOG_INFO, line);". I think OpenBSD and NetBSD are the only cases in which mopd is installed by default in any common operating-system distribution. There's no direct risk in having mopd installed; the potential risk occurs only if a vulnerable version of mopd is running (mopd can be one of the daemons started at boot time, or it could be started later by root; it is not run from inetd). The risk may also commonly be further limited by the inability of any machines outside of the local Ethernet to get packets to the mopd. Finally, mopd would typically not be running except on machines that act as a netboot server for certain other pieces of hardware on a local network (e.g., some types of DEC hardware, possibly also some types of Cisco hardware). Matt Power mhpower () mit edu
Current thread:
- OpenBSD 2.7 / NetBSD 1.4.2 mopd buffer overflow Matt Power (Aug 08)
- Re: OpenBSD 2.7 / NetBSD 1.4.2 mopd buffer overflow Andreas Hasenack (Aug 10)