And to add more info to this oldnews bug: Subject: RWHOIS Bug Fix Date: Fri, 26 Oct 2001 10:50:39 -0400 (EDT) From: ginny listman <ginnyat_private> To: dbwgat_private Regarding the recent vunerabilities discovered in the RWhois code, ARIN Engineering has released a patch. This patch can be found at: ftp://ftp.arin.net/pub/rwhois/rwhoisd-1.5.7-1.tar.gz Questions can be addressed to dbwgat_private Ginny Listman Director of Engineering ARIN Thanks, Ron DuFresne On Thu, 22 Nov 2001, alert7 wrote: > NSI Rwhoisd another Remote Format String Vulnerability > > Release infomation > ------------------ > > Release Date: 2001-11-22 > Author: By NetGuard Security Team > alert7 (alert7at_private) > Homepage: http://www.netguard.com.cn/ > > > Description > ----------- > > Rwhoisd is a publicly available RWHOIS server daemon for Unix based > systems developed and maintained by Network Solutions Inc. > > Rwhoisd contains another remotely exploitable format string vulnerability. > It is possible to overwrite memory by syslog() if set use-syslog: YES. > $ normal default is YES > > Attackers may be able to execute arbitrary code on affected hosts. > > > > Version and Platform > -------------------- > > Network Solutions rwhoisd 1.5 > Network Solutions rwhoisd 1.5.1a > Network Solutions rwhoisd 1.5.2 > Network Solutions rwhoisd 1.5.3 > Network Solutions rwhoisd 1.5.5 > Network Solutions rwhoisd 1.5.6 > Network Solutions rwhoisd 1.5.7.1 > Network Solutions rwhoisd 1.5.7 > Network Solutions rwhoisd 1.5.7-1 > Network Solutions rwhoisd 1.5.7.2 > > > Details > ------- > > log() function will call syslog(syslog_level,message) if set use-syslog: YES > in rwhoisd.conf file. Unfortunately,message is a user supplied format string. > > > demo > ----- > > [alert7@redhat62 ]# telnet 0 4321 > Trying 0.0.0.0... > Connected to 0. > Escape character is '^]'. > %rwhois V-1.5:003fff:00 localhost.localdomain (by Network Solutions, Inc. V-1.5.7-1) > %p%p%p%p <------input > %error 230 No Objects Found > Connection closed by foreign host. > > [alert7@redhat62 ]# tail /var/log/messages > Nov 21 13:04:06 redhat62 rwhoisd[27697]: CLIENT:127.0.0.1: query: 0xbffff8b00xbffff7fc0x808def80x806be4c > Nov 21 13:04:06 redhat62 rwhoisd[27697]: CLIENT:127.0.0.1: query response: 0 hits > > > Prove-Of-Concept exploit > ------------------------ > > wait for vendor fix it first ;) > > > Vendor information > ------------------ > > Vendor was informed at 2001-11-21 > Vendor Homepage: http://www.rwhois.net/ > > > About Netguard > -------------- > > China Net Security Technology Corporation (CNTC) is a leading provider of comput > er network and information security services in China. > > Copyright 2001 http://www.netguard.com.cn, All rights reserved. > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ "Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation." -- Johnny Hart ***testing, only testing, and damn good at it too!*** OK, so you're a Ph.D. Just don't touch anything.
This archive was generated by hypermail 2b30 : Fri Nov 23 2001 - 18:21:49 PST