Vulnerability Development mailing list archives
Re: Red Hat 7.1 rpc.statd problem
From: Chris Ess <azarin () tokimi net>
Date: Wed, 5 Dec 2001 14:26:42 -0500 (EST)
Hi... [snip]
rpc.statd[496]: gethostbyname error for ^X???^X???^Z???^Z???%8x%8x%8x%8x%8x%8x%8x%8x%8x%62716x%hn%51859x%hn\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220
[snip]
So my question is: If this is a patched version, why the heck is it trying to look up that name? I'm pretty sure that there isn't someone out there who has that as a reverse name for PTR records. Can anyone help clear up my confusion? Is this just a really bad patch, or is there still room for exploit, or is this the way it's supposed to work?
(Warning: Some guesswork involved. I do not have a RH71 system that I can open up to the same attacks.) I would imagine that the rpc.statd attack focused on overflowing a buffer *before* the call to gethostname. All the bug patch needed to do was fix the buffer overflow problem. Whether or not junk data gets passed to gethostbyname isn't really the concern of those who fixed the bug. (And, honestly, who is to say what is or isn't junk data?) As to whether or not those entries can be disregarded, I don't really know. The buffer overflow condition beofre gethostbyname has been corrected. Whether or not there are other overflow conditions lingering within rpc.statd is anyone's guess. I hope this is of some use. Sincerely, Christopher Ess System Administrator / CDTT (Certified Duct Tape Technician)
Current thread:
- Red Hat 7.1 rpc.statd problem Blue Boar (Dec 05)
- Re: Red Hat 7.1 rpc.statd problem Chris Ess (Dec 05)
- Re: Red Hat 7.1 rpc.statd problem Przemyslaw Frasunek (Dec 05)
- Re: Red Hat 7.1 rpc.statd problem Fyodor (Dec 05)
- Message not available
- Message not available
- Re: Red Hat 7.1 rpc.statd problem Fyodor (Dec 05)
- Re: Red Hat 7.1 rpc.statd problem Blue Boar (Dec 05)
- Re: Red Hat 7.1 rpc.statd problem Fyodor (Dec 05)
- Re: Red Hat 7.1 rpc.statd problem Valdis . Kletnieks (Dec 06)
- Message not available
- Re: Red Hat 7.1 rpc.statd problem Chris Ess (Dec 05)