------------------------------------------------------------------- Periodically, the moderator of of the vuln-dev mailing list will post summaries of issues discussed there to Bugtraq and possibly other relevant lists. This will usually happen when an issue has been resolved, or it appears that there will be no further discussion on vuln-dev. Each separate issue will be given it's own posting to facilitate referencing them separately, for discussion, forwarding, or appearance in vulnerability databases. To subscribe to vuln-dev, send an e-mail to listservat_private, with the word SUBSCRIBE in the body of the message. A FAQ and archive can be found at www.securityfocus.com-->forums-->vuln-dev (click on these sections, the web pages are forms-based.) ------------------------------------------------------------------- Problem description follows. A "documentation" fix has been made, reference: 3805060A.7AE54ABat_private">http://www.securityfocus.com/templates/archive.pike?list=82&date=1999-10-8&msg=3805060A.7AE54ABat_private From: 199910091022.LAA02585at_private">http://www.securityfocus.com/templates/archive.pike?list=82&date=1999-10-8&msg=199910091022.LAA02585at_private To: Exploit-Dev Subject: 2 dodgy network programs Date: Sat Oct 09 1999 04:22:02 Author: Antonomasia Message-ID: <199910091022.LAA02585at_private> I was just visiting http://www.echelon.wiretapped.net and downloaded a small file called "tcplog.c" with no author or version stated. It is for logging connections to your box (linux only). There are some minor coding gripes I could make, but line 107 takes a risk with the size of a hostname 98 char *hostlookup(unsigned long int in) 99 { 100 static char blah[1024]; 101 struct in_addr i; 102 struct hostent *he; 103 104 i.s_addr=in; 105 he=gethostbyaddr((char *)&i, sizeof(struct in_addr),AF_INET); 106 if(he == NULL) strcpy(blah, inet_ntoa(i)); 107 else strcpy(blah, he->h_name); 108 return blah; 109 } Also I want to mention DeleGate-5.9.3 (at www.echelon.wiretapped.net and elsewhere, in versions for Linux, AIX etc). Luc Stepniewski <lstepat_private> drew attention to this in April 1999 for having very many string operations without bounds checking. Although I made it dump core #0 0x40058cf3 in ?? () from /lib/libc.so.6 (gdb) bt #0 0x40058cf3 in ?? () from /lib/libc.so.6 #1 0x8103b80 in RES_matchLine ( what=0x41414141 <Address 0x41414141 out of bounds>, byname=1094795585, name=0x41414141 <Address 0x41414141 out of bounds>, line=0x41414141 <Address 0x41414141 out of bounds>, rv=0x41414141, rb=0x41414141 <Address 0x41414141 out of bounds>, cname=0x41414141 <Address 0x41414141 out of bounds>) at reshost.c:461 #2 0x41414141 in ?? () Cannot access memory at address 0x41414141. when I came to convert this into an exploit I could not reproduce it. I told Luc around April I was going to make a demo exploit but have never found the Time. Will someone else take it on ? DeleGate has pretentions to being A security product and ought to set an example or be made one. Luc and I both contacted the author in/before April.
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:09:51 PDT