[UNIX] InetUtils TFTP Client DNS Resolving Buffer Overflows

From: SecuriTeam (support_at_securiteam.com)
Date: 11/17/04

  • Next message: SecuriTeam: "[NT] Symantec LiveUpdate Decompression and Directory Names Vulnerabilities" 
    To: list@securiteam.com
Date: 17 Nov 2004 16:34:09 +0200

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    The SecuriTeam alerts list - Free, Accurate, Independent.

    Get your security news from a reliable source.
    http://www.securiteam.com/mailinglist.html

    - - - - - - - - -

      InetUtils TFTP Client DNS Resolving Buffer Overflows
    ------------------------------------------------------------------------

    SUMMARY

     <http://www.gnu.org/software/inetutils/inetutils.html> InetUtils is "a
    collection of common network programs, among other TFTP". Untrusted data
    from DNS resolved hostname is copied into finite static buffers without
    any bounds checking. We can overflow several buffers located in the .bss.
    Also located in the .bss are function pointers used to implement FTP
    commands, so exploitation with code execution is possible.

    DETAILS

    Vulnerable Systems:
     * InetUtils version 1.4.2 and prior

    The overflows all occur thanks to gethostbyname() returned data. Instead
    of copying that data using the length of the destination buffer, the
    length of the source buffer is used instead, or no length at all in the
    case of strcpy(). An attacker could configure their DNS server
    maliciously, or a local attacker on a LAN could spoof replies to neighbors
    to exploit this.

    main.c:227: bcopy(host->h_addr, &peeraddr.sin_addr, host->h_length);
    main.c:228: strcpy(hostname, host->h_name);
    main.c:366: bcopy(hp->h_addr, (caddr_t)&peeraddr.sin_addr, hp->h_length);
    main.c:369: strcpy(hostname, hp->h_name);
    main.c-457: bcopy(hp->h_addr, (caddr_t)&peeraddr.sin_addr, hp->h_length);
    main.c:461: strcpy(hostname, hp->h_name);

    ADDITIONAL INFORMATION

    The information has been provided by <mailto:infamous41md@hotpop.com>
    sean.

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

  • Next message: SecuriTeam: "[NT] Symantec LiveUpdate Decompression and Directory Names Vulnerabilities"

    Relevant Pages