Bugtraq mailing list archives
Re: Digital Armaments Security Advisory 01.16.2006: CMU SNMP utilities snmptrad Format String Vulnerability
From: Florian Weimer <fw () deneb enyo de>
Date: Fri, 20 Jan 2006 21:43:09 +0100
III. Detection This problem has been detected and tested on latest versions: snmptrapd from cmu-snmp-linux-3.7 package snmptrapd from cmu-snmp-linux-3.6 package
This seems to be the following code: int snmp_input(op, session, reqid, pdu, magic) int op; struct snmp_session *session; int reqid; struct snmp_pdu *pdu; void *magic; { struct variable_list *vars; char buf[64], sbuf [10240]; if (op == RECEIVED_MESSAGE && pdu->command == TRP_REQ_MSG){ if (Print){ [...] } else { [...] sprintf (sbuf, "%s: %s Trap (%d) Uptime: %s", inet_ntoa(pdu->agent_addr.sin_addr), trap_description(pdu->trap_type), pdu->specific_type, uptime_string(pdu->time, buf)); [...] for (vars = pdu->variables; vars; vars = vars->next_variable) { /* XXX: check buffer space avail */ strcat (sbuf, " "); sprint_variable (sbuf + strlen (sbuf), vars->name, vars->name_length, vars); } syslog(LOG_WARNING, sbuf); } [...] } Apparently, this code has not made its way into the UCD-SNMP and NET-SNMP source (or the official CMU-SNMP sources). This means that the number of affected systems should be minimal.
Current thread:
- Digital Armaments Security Advisory 01.16.2006: CMU SNMP utilities snmptrad Format String Vulnerability info (Jan 17)
- Re: Digital Armaments Security Advisory 01.16.2006: CMU SNMP utilities snmptrad Format String Vulnerability Florian Weimer (Jan 20)