Re: [NetGuard Security] NSI Rwhoisd another Remote Format String Vulnerability

[Ron DuFresne <dufresne () winternet com>]

And to add more info to this oldnews bug:

Subject: RWHOIS Bug Fix
Date: Fri, 26 Oct 2001 10:50:39 -0400 (EDT)
From: ginny listman <ginny () arin net>
To: dbwg () arin net

Regarding the recent vunerabilities discovered in the RWhois code, ARIN
Engineering has released a patch.  This patch can be found at:

        ftp://ftp.arin.net/pub/rwhois/rwhoisd-1.5.7-1.tar.gz

Questions can be addressed to dbwg () arin net


Ginny Listman
Director of Engineering
ARIN



Thanks,

Ron DuFresne

On Thu, 22 Nov 2001, alert7 wrote:

>       NSI Rwhoisd another Remote Format String Vulnerability
>
> Release infomation
> ------------------
>
> Release Date: 2001-11-22
> Author:   By NetGuard Security Team 
>           alert7 (alert7 () netguard com cn) 
> Homepage: http://www.netguard.com.cn/
>
>
> Description
> -----------
>
>   Rwhoisd is a publicly available RWHOIS server daemon for Unix based 
> systems developed and maintained by Network Solutions Inc. 
>
>   Rwhoisd contains another remotely exploitable format string vulnerability. 
> It is possible to overwrite memory by syslog() if set use-syslog: YES.
> $ normal default is YES
>
> Attackers may be able to execute arbitrary code on affected hosts.  
>
>    
>
> Version and Platform
> --------------------
>
> Network Solutions rwhoisd 1.5
> Network Solutions rwhoisd 1.5.1a
> Network Solutions rwhoisd 1.5.2
> Network Solutions rwhoisd 1.5.3
> Network Solutions rwhoisd 1.5.5
> Network Solutions rwhoisd 1.5.6
> Network Solutions rwhoisd 1.5.7.1
> Network Solutions rwhoisd 1.5.7
> Network Solutions rwhoisd 1.5.7-1
> Network Solutions rwhoisd 1.5.7.2
>
>
> Details
> -------
>
> log() function will call syslog(syslog_level,message) if set use-syslog: YES 
> in rwhoisd.conf file. Unfortunately,message is a user supplied format string.
>
>
> demo
> -----
>
> [alert7@redhat62 ]# telnet 0 4321
> Trying 0.0.0.0...
> Connected to 0.
> Escape character is '^]'.
> %rwhois V-1.5:003fff:00 localhost.localdomain (by Network Solutions, Inc. V-1.5.7-1)
> %p%p%p%p  <------input
> %error 230 No Objects Found
> Connection closed by foreign host.
>
> [alert7@redhat62 ]# tail /var/log/messages
> Nov 21 13:04:06 redhat62 rwhoisd[27697]: CLIENT:127.0.0.1: query: 0xbffff8b00xbffff7fc0x808def80x806be4c
> Nov 21 13:04:06 redhat62 rwhoisd[27697]: CLIENT:127.0.0.1: query response: 0 hits
>
>
> Prove-Of-Concept exploit
> ------------------------
>
> wait for vendor fix it first ;)
>
>
> Vendor information
> ------------------
>
> Vendor was informed at 2001-11-21
> Vendor Homepage: http://www.rwhois.net/ 
>
>
> About Netguard
> --------------
>
> China Net Security Technology Corporation (CNTC) is a leading provider of comput
> er network and information security services in China.
>
> Copyright 2001 http://www.netguard.com.cn, All rights reserved.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
"Cutting the space budget really restores my faith in humanity.  It
eliminates dreams, goals, and ideals and lets us get straight to the
business of hate, debauchery, and self-annihilation." -- Johnny Hart
        ***testing, only testing, and damn good at it too!***

OK, so you're a Ph.D.  Just don't touch anything.