Re: iplogger-1.1+ident

From: Brian Mitchell (bmitchat_private)
Date: Fri Oct 23 1998 - 06:04:58 PDT

Next message: Paul Boehm: "buffer overflow vulnerability in netscape 3.0 to 4.5"

Previous message: Paul Boehm: "Re: buffer overflow vulnerability in netscape 3.0 to 4.5"
Maybe in reply to: Matt Watson: "iplogger-1.1+ident"
Next in thread: Matt Watson: "Re: iplogger-1.1+ident"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

That's not the only problem with both the old and new version of iplogger. There is a DNS buffer overflow (to a static buffer, so it might not be exploitable) in the original version.

In the new version, there seems to be an ident overflow from extremely casual inspection:

if (read(j, buf, 256) <= 0) {
                sprintf(bleah, "unknown@%s", hostlookup(remote_addr));
        } else {
                sscanf(buf, "%*d , %*d : %*[^ \t\n\r:] : %*[^\t\n\r:] : %[^\n\r
]", uname);

                sprintf(bleah, "%s@%s", uname, hostlookup(remote_addr));


uname is a 64 byte char string allocated on the stack, so it appears it is vulnerable to a remote overflow which would give the attacker root access.

If(!fork) is also not the best idea, since it will evaluate to true if fork() fails (returns -1). If the fork() fails twice, and the syn is spoofed, the ident connection could block for a long time if the src addr is filtering that port, and in the meantime, no connections will be logged.

-----Original Message-----
From:   Matt Watson [SMTP:sideshowat_private]
Sent:   Thursday, October 22, 1998 4:28 AM
To:     BUGTRAQat_private
Subject:        iplogger-1.1+ident

Hello, today i was wondering around sunsite and noticed a newer version of
iplogger there:
ftp://sunsite.unc.edu/pub/Linux/system/network/daemons/iplogger-ident-1.1.tar.gz
Anyways i decided to take a look at the new code at the first thing that
popped right out was:
        while (1) {
                read(s, (struct ippkt *) &pkt, 9999);
                if (pkt.tcp.syn == 1 && pkt.tcp.ack == 0) {
                        if (!fork()) { /* double fork()    */
                                if (!fork()) {  /* to avoid zombies */
                                        openlog("tcplogd", 0, LOG_DAEMON);


^^ lines 34-39
now then, that double fork... thats well uhm evil.  That has remote
fork-bomb written all over it.  just load up your favorite port scanner
and scan away and watch your machine fork like crazy!  Anyways just
another comment on the new iplogger, it seems it only logs connections to
ports which are not open? I dunno about everybody else but personally i'd
rather know who is connecting to ports I do have open rather than who is
trying to connect to ports i don't have open.  Anyways thats my 2 cents.

-/- Matt Watson
    TeraHertz Communications Administrator
    For quality web space and shells checkout www.terahertz.net

Next message: Paul Boehm: "buffer overflow vulnerability in netscape 3.0 to 4.5"
Previous message: Paul Boehm: "Re: buffer overflow vulnerability in netscape 3.0 to 4.5"
Maybe in reply to: Matt Watson: "iplogger-1.1+ident"
Next in thread: Matt Watson: "Re: iplogger-1.1+ident"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:20:51 PDT