Re: buffer overflow on whois (redhat linux 7.0/7.1 on i686)

From: Jeff Nathan (jeff@wwti.com)
Date: 02/01/02 

Date: Fri, 01 Feb 2002 13:36:38 -0800
From: Jeff Nathan <jeff@wwti.com>
To: Blake Frantz <blake@mc.net>

Blake Frantz wrote:
>
> I realize the threat is not huge but, some IDS consoles such as demarc
> call whois from a web interface. If you have a poorly secured IDS console
> an attacker could utilize an exploit in whois to run code on your IDS
> console with the same permissions as a web user. Again, this is not Earth
> shattering, and a lot would have to be 'broke' already for an attacker to
> get much out of it, but it's atleast worth mentioning.
>
> -Blake
>
> On 31 Jan 2002, jon schatz wrote:
>
> > On Thu, 2002-01-31 at 08:37, ladd harris wrote:
> > > Testing the whois -p i also get a core dump on red
> > > hat 7.1....tried two machines both seem effected.
> > > whether it can be exploited i do not still need to do
> > > more tests......
> >
> > but what are you going to exploit? i found this bug a while ago, but
> > never reported it because
> >
> > 1) the (newer) whois-1.0.9-1 rpm fixed the problem, and
> > 2) whois isn't setuid. and never needs to be
> >
> > so at most, you're talking about executing code as yourself, which you
> > can do without a buffer overflow.
> >
> > -jon
> >
> > --
> > jon@divisionbyzero.com || www.divisionbyzero.com
> > gpg key: www.divisionbyzero.com/pubkey.asc
> > think i have a virus?: www.divisionbyzero.com/pgp.html
> > "You are in a twisty little maze of Sendmail rules, all confusing."
> >

This looks like a null pointer dereference and is probably the result of
a missing NULL test before attempting to use strlen. It's a mistake but
it's unlikely that it's an actual vulnerability.

-Jeff 

-- 
http://jeff.wwti.com            (pgp key available)
"Common sense is the collection of prejudices acquired by age eighteen."
- Albert Einstein

Quantcast