Re: [logs] [ESA-20020423-009] webalizer contains a potentially exploitable buffer overflow (fwd)

From: Shane Kerr (shane@time-travellers.org)
Date: Thu Apr 25 2002 - 01:52:02 PDT

  • Next message: meera khatavkar: "[logs] regarding checkpoint logs.."

    On 2002-04-24 17:03:04 -0500, Tina Bird wrote:
    > forwarded with permission...
    > 
    > ---------- Forwarded message ----------
    > Date: Wed, 24 Apr 2002 11:19:28 +0200
    > From: Tom <TheTomat_private>
    > To: Tina Bird <tbird@precision-guesswork.com>
    > Subject: Re: [logs] [ESA-20020423-009] webalizer contains a potentially
    >     exploitable buffer overflow (fwd)
    > 
    > Tina Bird wrote:
    > > Boy -- who'd've expected two buffer overflows in log
    > > analysis programs within a month?
    > 
    > 
    > [...]
    > 
    > > OVERVIEW
    > > - --------
    > >   There is a potentially exploitable buffer overflow in webalizer which
    > >   could allow an attacker to compromise a host by spoofing reverse DNS
    > >   queries.
    > > 
    > 
    > the destination buffer (child_buf) ist 128 bytes big and bind (bind 4
    > on openbsd 2.8 does) limits the size of the hostname to 64 bytes. even
    > MAXHOSTNAMELEN on Linux (and other Unix like systems) is just 64
    > bytes.  so i think there is no real danger by this _possible_ buffer
    > overflow.
    
    But there's no way for the client to know that the UDP packet arriving
    at the host is *actually* from the DNS server or from another host on
    the network, short of using IPSEC.
    
    Attack scenerio:
    
    1. Webalizer queries for host -> packet from A to B
    2. Attacker sees the request (snooping LAN, compromised router, whatever)
    3. Attacker spoofs a reply -> packet from B to A, but puts in a long
       hostname
    
    I haven't read the details of the report, much less looked at the code,
    but it seems possible to me.  C really *is* the wrong language for
    almost everything.  *sigh*
    
    -- 
    Shane
    Carpe Diem
    
    ---------------------------------------------------------------------
    To unsubscribe, e-mail: loganalysis-unsubscribeat_private
    For additional commands, e-mail: loganalysis-helpat_private
    



    This archive was generated by hypermail 2b30 : Thu Apr 25 2002 - 08:12:52 PDT