Vulnerability Development mailing list archives

2 dodgy network programs

From: ant () NOTATLA DEMON CO UK (Antonomasia)
Date: Sat, 9 Oct 1999 11:22:02 +0100


I was just visiting  http://www.echelon.wiretapped.net and downloaded a
small file called "tcplog.c" with no author or version stated.  It is for
logging connections to your box (linux only).

There are some minor coding gripes I could make, but line 107
takes a risk with the size of a hostname

    98  char *hostlookup(unsigned long int in)
    99  {
   100     static char blah[1024];
   101     struct in_addr i;
   102     struct hostent *he;
   103  
   104     i.s_addr=in;
   105     he=gethostbyaddr((char *)&i, sizeof(struct in_addr),AF_INET);
   106     if(he == NULL) strcpy(blah, inet_ntoa(i));
   107     else strcpy(blah, he->h_name);
   108     return blah;
   109  }

Also I want to mention DeleGate-5.9.3 (at www.echelon.wiretapped.net and
elsewhere, in versions for Linux, AIX etc).
Luc Stepniewski <lstep () mail dotcom fr> drew attention to this in April 1999
for having very many string operations without bounds checking.
Although I made it dump core

   #0  0x40058cf3 in ?? () from /lib/libc.so.6
   (gdb) bt
   #0  0x40058cf3 in ?? () from /lib/libc.so.6
   #1  0x8103b80 in RES_matchLine (
       what=0x41414141 <Address 0x41414141 out of bounds>, byname=1094795585,
       name=0x41414141 <Address 0x41414141 out of bounds>,
       line=0x41414141 <Address 0x41414141 out of bounds>, rv=0x41414141,
       rb=0x41414141 <Address 0x41414141 out of bounds>,
       cname=0x41414141 <Address 0x41414141 out of bounds>) at reshost.c:461
   #2  0x41414141 in ?? ()
   Cannot access memory at address 0x41414141.

when I came to convert this into an exploit I could not reproduce it.  I told
Luc around April I was going to make a demo exploit but have never found the
Time.  Will someone else take it on ?  DeleGate has pretentions to being
A security product and ought to set an example or be made one.
Luc and I both contacted the author in/before April.

--
##############################################################
# Antonomasia   ant () notatla demon co uk                      #
# See http://www.notatla.demon.co.uk/                        #
##############################################################

Current thread:

Newbie in Jeopardy, (continued)
- - Newbie in Jeopardy Me Uh, K. (Oct 06)
    - Re: Newbie in Jeopardy Nimrod Vered (Oct 09)
  - Re: Guestbook perl script (error fix) Erik Parker (Oct 08)
  - SSH and X11 forwarding Rob Quinn (Oct 08)
  - fbsd 3.3 ospf_monitor research Brock Tellier (Oct 08)
    - Re: fbsd 3.3 ospf_monitor research Jeff Bachtel (Oct 10)
    - Re: fbsd 3.3 ospf_monitor research Andrew Reiter (Oct 11)
    - restoretextmode problems robert (Oct 11)
  - NT SysKey should be breakable Mikael Olsson (Oct 08)
    - Re: NT SysKey should be breakable Mikael Olsson (Oct 09)
    - 2 dodgy network programs Antonomasia (Oct 09)
    - Re: 2 dodgy network programs Nick 'Zaf' Clifford (Oct 09)
    - Re: 2 dodgy network programs David R. Conrad (Oct 13)
    - Classes? Devin Walters (Oct 16)
    - Re: Classes? Blue Boar (Oct 16)
    - Re: Classes? Dragos Ruiu (Oct 16)
    - Re: Classes? Bacano (Oct 17)
    - Re: Classes? Max Vision (Oct 18)
    - Re: Classes? David R. Conrad (Oct 17)
    - Re: Classes? Crispin Cowan (Oct 18)
    - Re: Classes? George Kurtz (Oct 20)

(Thread continues...)