On 2002-04-24 17:03:04 -0500, Tina Bird wrote: > forwarded with permission... > > ---------- Forwarded message ---------- > Date: Wed, 24 Apr 2002 11:19:28 +0200 > From: Tom <TheTomat_private> > To: Tina Bird <tbird@precision-guesswork.com> > Subject: Re: [logs] [ESA-20020423-009] webalizer contains a potentially > exploitable buffer overflow (fwd) > > Tina Bird wrote: > > Boy -- who'd've expected two buffer overflows in log > > analysis programs within a month? > > > [...] > > > OVERVIEW > > - -------- > > There is a potentially exploitable buffer overflow in webalizer which > > could allow an attacker to compromise a host by spoofing reverse DNS > > queries. > > > > the destination buffer (child_buf) ist 128 bytes big and bind (bind 4 > on openbsd 2.8 does) limits the size of the hostname to 64 bytes. even > MAXHOSTNAMELEN on Linux (and other Unix like systems) is just 64 > bytes. so i think there is no real danger by this _possible_ buffer > overflow. But there's no way for the client to know that the UDP packet arriving at the host is *actually* from the DNS server or from another host on the network, short of using IPSEC. Attack scenerio: 1. Webalizer queries for host -> packet from A to B 2. Attacker sees the request (snooping LAN, compromised router, whatever) 3. Attacker spoofs a reply -> packet from B to A, but puts in a long hostname I haven't read the details of the report, much less looked at the code, but it seems possible to me. C really *is* the wrong language for almost everything. *sigh* -- Shane Carpe Diem --------------------------------------------------------------------- To unsubscribe, e-mail: loganalysis-unsubscribeat_private For additional commands, e-mail: loganalysis-helpat_private
This archive was generated by hypermail 2b30 : Thu Apr 25 2002 - 08:12:52 PDT