buffer overflow on whois (redhat linux 7.0/7.1 on i686)

From: Eduardo Damato (damato@unesp.br)
Date: 01/30/02


Date: Wed, 30 Jan 2002 16:37:20 -0200 (BRST)
From: Eduardo Damato <damato@unesp.br>
To: <vuln-dev@securityfocus.com>


Hi All,

Can anyone reproduce the following errors?
I got them in 3 Redhat 7.0/7.1 (i686) boxes. It is possibly due to a
buffer overflow. I have upgraded the linux boxes to the latest glibc
available (glibc-2.2.4-19.3). It didnt happen on red hat 7.2 though.

$whois
syntax: whois [-v] [-r] [-h server] [-p port] [--] query[@server[:port]]
default server is whois.crsnic.net

$whois -r
Segmentation fault (core dumped)
$whois -v
Segmentation fault (core dumped)
$whois -h
Segmentation fault (core dumped)
$whois -p
Segmentation fault (core dumped)

Apparently the problem is a NULL call to strlen() in glibc.
Analysing the cores generated by whois i got the following errors:

#0 0x400bf071 in strlen () from /lib/i686/libc.so.6

$gdb whois core
GNU gdb 5.0rh-5 Red Hat Linux 7.1
Copyright 2001 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB. Type "show warranty" for details.
This GDB was configured as "i386-redhat-linux"...(no debugging symbols found)...
Core was generated by `whois -p'.
Program terminated with signal 11, Segmentation fault.
Reading symbols from /lib/libresolv.so.2...done.
Loaded symbols for /lib/libresolv.so.2
Reading symbols from /lib/i686/libc.so.6...done.
Loaded symbols for /lib/i686/libc.so.6
Reading symbols from /lib/ld-linux.so.2...done.
Loaded symbols for /lib/ld-linux.so.2
#0 0x400bf071 in strlen () from /lib/i686/libc.so.6

-- 
Eduardo Damato
Network Analyst - GRC/UNESP
email: damato@unesp.br



Relevant Pages