Bugtraq mailing list archives
[DER Adv #7] - Multiple Vulnerabilities in solaris in.rarpd
From: "david evlis reign" <davidreign () hotmail com>
Date: Wed, 22 May 2002 02:06:43 +0000
Intro: rarpd is a reverse arp protocol for small to medium sized networks.in the solaris implementation (in.rarpd) there seems to be 3 remotely exploitable buffer overflows, 2 locally exploitable and 2 cases of format string exploitability.
Details:In the functions error and syserr (syserr also being used by other in.* implmentations which are also exploitable, but not the topic of this advisory today) there contains 2 common syslog calls without format strings.
static void syserr(s) char *s; { char buf[256]; (void) sprintf(buf, "%s: %s", s, strerror(errno)); (void) fprintf(stderr, "%s: %s\n", cmdname, buf); syslog(LOG_ERR, buf); exit(1); } /* VARARGS1 */ static void error(char *fmt, ...) { char buf[256]; va_list ap; va_start(ap, fmt); (void) vsprintf(buf, fmt, ap); va_end(ap); (void) fprintf(stderr, "%s: %s\n", cmdname, buf); syslog(LOG_ERR, buf); exit(1); } there are two vulnerable calls which could be exploited locally or remotely. vendor notification: nopea working exploit has been created for the remote buffer overflows but not this time, not here.
DER systems _________________________________________________________________ Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp.
Current thread:
- [DER Adv #7] - Multiple Vulnerabilities in solaris in.rarpd david evlis reign (May 22)