[DER Adv #7] - Multiple Vulnerabilities in solaris in.rarpd

From: david evlis reign (davidreignat_private)
Date: Tue May 21 2002 - 19:06:43 PDT

Next message: Kanatoko: "MatuFtpServer Remote Buffer Overflow and Possible DoS"

Previous message: X-Force: "ISS Alert: Microsoft SQL Spida Worm Propagation"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Intro:
rarpd is a reverse arp protocol for small to medium sized networks.
in the solaris implementation (in.rarpd) there seems to be 3 remotely 
exploitable buffer overflows, 2 locally exploitable and 2 cases of format 
string exploitability.

Details:
In the functions error and syserr (syserr also being used by other in.* 
implmentations which are also exploitable, but not the topic of this 
advisory today) there contains 2 common syslog calls without format strings.

static void
syserr(s)
char    *s;
{
        char buf[256];

        (void) sprintf(buf, "%s: %s", s, strerror(errno));
        (void) fprintf(stderr, "%s:  %s\n", cmdname, buf);
        syslog(LOG_ERR, buf);
        exit(1);
}

/* VARARGS1 */
static void
error(char *fmt, ...)
{
        char buf[256];
        va_list ap;

        va_start(ap, fmt);
        (void) vsprintf(buf, fmt, ap);
        va_end(ap);
        (void) fprintf(stderr, "%s:  %s\n", cmdname, buf);
        syslog(LOG_ERR, buf);
        exit(1);
}

there are two vulnerable calls which could be exploited locally or remotely.

vendor notification: nope

a working exploit has been created for the remote buffer overflows but not 
this time, not here.

DER systems

_________________________________________________________________
Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp.

Next message: Kanatoko: "MatuFtpServer Remote Buffer Overflow and Possible DoS"
Previous message: X-Force: "ISS Alert: Microsoft SQL Spida Worm Propagation"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed May 22 2002 - 08:37:47 PDT