The OpenNET Project
 
Search (keywords):  SOFT ARTICLES TIPS & TRICKS SECURITY
LINKS NEWS MAN DOCUMENTATION


buffer overflow in netkit rwhod/Debian netstd-3.07-2hamm.2


<< Previous INDEX Search src Set bookmark Go to bookmark Next >> 
Date: Wed, 21 Oct 1998 13:52:14 +0800
From: David Luyer <[email protected]>
To: Herbert Xu <[email protected]>
Subject: buffer overflow in netkit rwhod/Debian netstd-3.07-2hamm.2
Cc: [email protected]

There's a (sort-of exploitable as DoS, possibly exploitable in more interesting
ways[1] but unlikely) buffer overflow in rwhod (netkit-rwho-0.10/rwhod in Debian
netstd-3.07-2hamm.2).

What happens is that glibc defines in /usr/include/protocols/rwhod.h:

struct  outmp {
        char    out_line[8];            /* tty name */
        char    out_name[8];            /* user id */
        int32_t out_time;               /* time on */
};

struct whod {
        ...
        struct  whoent {
                struct  outmp we_utmp;  /* active tty info */
                int     we_idle;        /* tty idle time */
        } wd_we[1024 / sizeof (struct whoent)];
};

[the new utmp structures are 32 bytes each for line and name]

and this is written to around line 334 of rwhod.c by copying
sizeof(uptr->ut_name) and sizeof(utpr->ut_line) bytes, where uptr is a
struct utmp *.  If more users are logged in than can be represented in
a 1024-byte rwhod packet (the standard situation on decent sized shell
boxes which have ~200 simultaneous shell users), the copy into the
last entry in the "we" structure overwrites the global variable "sk" with
a value of 0.  rwhod then floods the syslog with "socket operation on 
non-socket" as it tries to perform socket operations like sendto/recvfrom
on "sk".  syslogd and rwhod go to large CPU usage.  It didn't have much
of an effect here, except for all the "last message repeated 20000 times"
syslog messages, but it could on a box close to its load limit when it
hits the user count in question.

The fix: trivial, change around line 334 of rwhod.c to:

                                bcopy(uptr->ut_line, we->we_utmp.out_line,
                                   MIN(sizeof(uptr->ut_line), sizeof(we->we_utmp.out_line)));
                                bcopy(uptr->ut_name, we->we_utmp.out_name,
                                   MIN(sizeof(uptr->ut_name), sizeof(we->we_utmp.out_name)));

David.

[1] unlikely, since xdm login hostnames may be placed in ut_line, but ut_name
    is the same length and copied after it; you need to be able to request
    an account of > 8 characters name length with just the right letters in
    the name to do something interesting (if anything interesting can be done)
    and then make sure it is the right utmp entry to be the last one sent off.
    difficult.

<< Previous INDEX Search src Set bookmark Go to bookmark Next >>



Партнёры:
PostgresPro
Inferno Solutions
Hosting by Hoster.ru
Хостинг:

Закладки на сайте
Проследить за страницей 		Created 1996-2025 by Maxim Chirkov
Добавить, Поддержать, Вебмастеру