Heap overflow in snmpnetstat

From: Juan M. de la Torre (jmtorreat_private)
Date: Thu Jan 03 2002 - 07:11:24 PST

Next message: Michael Fellows: "Re: IE GetObject() problems"

Previous message: secureat_private: "[CLA-2002:448] Conectiva Linux Security Announcement - libgtop"
In reply to: Matt Conover: "Re: AIM addendum"
Next in thread: Mark Coleman: "Re: AIM addendum"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

              ----------------------------
                Axioma Security Research 
                    January 3, 2002
                    A D V I S O R Y
                 www.axiomasistemas.com
              ----------------------------

Platforms   : All
            : Tested on Red Hat Linux 7.1

Application : snmpnetstat from ucd-SNMP-4.2.3 (www.net-snmp.org)

Impact      : Remote access to the snmpnetstat client machine
 
 Overview
 --------

  snmpnetstat, a tool from ucd-snmp package, has a remotely exploitable
 heap overflow when parsing the server replies. A possible patch and a 
 proof of concept exploit are attached.

  
 Vendor status
 -------------

  Contacted
  

 Details
 -------

  When snmpnetstat request the list of interfaces, it first allocs an
 array to hold all the structs, one for each interface fetched. Then, it
 sends a getnextrequest PDU to the server requesting ifindex, ifaddr and
 ifnetmask, and saves this values in the first null entry of the array.
 Then it sends another getnextrequest PDU requesting ifindex, and some 
 other variables. If the ifindex value returned by server is different 
 from the one previusly fetched, and the interface currently being scanned
 is the last, the memory located after the array will be overwritten with
 the variables returned by server, causing a heap overflow.

  The research team of Axioma Sistemas has been able to exploit this flaw,
 providing a default offset for redhat 7.1. See atached exploit.

  Axioma Sistemas is unaware at this time if previous versions of snmpnetstat
 are affected by the vulnerability described in this advisory, but probably
 are.


 Recommendations
 ---------------

  Apply the patch attached or upgrade to the next release of Net-SNMP when 
 available


 Credits
 -------

  Axioma Security Research would like to thank Juan M. de la Torre
 (jmtorreat_private) for discovering and researching this 
 vulnerability

-------------------
 About Axioma Sistemas

  Axioma is a leading security consultant for the Internet founded to help 
 corporations to improve their network security. With penetration tests and
 a high level of security assessment, Axioma is able to give to comercial 
 banks, telecommunication companies and much more customers, the security 
 they need.

application/octet-stream attachment: snmp.diff

application/octet-stream attachment: snmpx.c

Next message: Michael Fellows: "Re: IE GetObject() problems"
Previous message: secureat_private: "[CLA-2002:448] Conectiva Linux Security Announcement - libgtop"
In reply to: Matt Conover: "Re: AIM addendum"
Next in thread: Mark Coleman: "Re: AIM addendum"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu Jan 03 2002 - 13:52:31 PST