Date: Tue, 16 Feb 1999 00:42:49 +0000
From: Rupert Weber-Henschel <[email protected]>
To: [email protected]Subject: snplog-1.0 buffer overflow
There is a possible buffer overflow in snplog-1.0. Or is it 0.1? The
tar file is 0.1, the docs say 1.0. %)
(snplog contains tcplogd, icmplogd, udplogd)
The offending code is a sscanf() which parses the response of a remote
identd.
In rfc1413.c, around line 80:
/* minimal parsing, we just want the username */
sscanf(buf,
"%*d , %*d : %*[^ \t\n\r:] : %*[^\t\n\r:] :
%[^\n\r]",
ret);
where buf contains up to 512 bytes received from the identd, but ret has
only 64 bytes.
I don't know if this exploitable in terms of root compromise (ret is
malloc'ed, not on the stack), but a quick test made me press the reset
button...
The obvious quick fix is to add a 63 after the last %:
sscanf(buf,
"%*d , %*d : %*[^ \t\n\r:] : %*[^\t\n\r:] :
%63[^\n\r]",
ret);
While I still don't like the idea of having a biest like scanf in
critical code at all...
The homepage for snplog is:
http://www.franken.de/users/gauss/snplog/
The author has been notified, of course.
Cheers,
Rupert
--
Rupert Weber-Henschel
E-Mail: [email protected]
Fax: +49-89-34023886
PGP Public Key: http://www.cip.physik.uni-muenchen.de/~weber
