[DER Adv #7] - Multiple Vulnerabilities in solaris in.rarpd

["david evlis reign" <davidreign () hotmail com>]

Intro:
rarpd is a reverse arp protocol for small to medium sized networks.
in the solaris implementation (in.rarpd) there seems to be 3 remotely 
exploitable buffer overflows, 2 locally exploitable and 2 cases of format 
string exploitability.

Details:
In the functions error and syserr (syserr also being used by other in.* 
implmentations which are also exploitable, but not the topic of this 
advisory today) there contains 2 common syslog calls without format strings.

static void
syserr(s)
char    *s;
{
       char buf[256];

       (void) sprintf(buf, "%s: %s", s, strerror(errno));
       (void) fprintf(stderr, "%s:  %s\n", cmdname, buf);
       syslog(LOG_ERR, buf);
       exit(1);
}

/* VARARGS1 */
static void
error(char *fmt, ...)
{
       char buf[256];
       va_list ap;

       va_start(ap, fmt);
       (void) vsprintf(buf, fmt, ap);
       va_end(ap);
       (void) fprintf(stderr, "%s:  %s\n", cmdname, buf);
       syslog(LOG_ERR, buf);
       exit(1);
}

there are two vulnerable calls which could be exploited locally or remotely.

vendor notification: nope

a working exploit has been created for the remote buffer overflows but not 
this time, not here.

DER systems

_________________________________________________________________
Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp.