TUCoPS :: Unix :: General
:: unix4872.htm
Rwhoisd format string buffer overflow
26th Nov 2001 [SBWID-4872]
COMMAND
Rwhoisd format string buffer overflow
SYSTEMS AFFECTED
Rwhoisd 1.5 to 1.5.7.2
PROBLEM
In alert7 of NetGuard Security Team advisory
[http://www.netguard.com.cn/] :
Rwhoisd is a publicly available RWHOIS server daemon for Unix based
systems developed and maintained by Network Solutions Inc.
Rwhoisd contains another remotely exploitable format string
vulnerability. It is possible to overwrite memory by syslog() if set
use-syslog: YES. $ normal default is YES
Attackers may be able to execute arbitrary code on affected hosts.
log() function will call syslog(syslog_level,message) if set
use-syslog: YES in rwhoisd.conf file. Unfortunately,message is a user
supplied format string.
demo -----
[alert7@redhat62 ]# telnet 0 4321
Trying 0.0.0.0...
Connected to 0.
Escape character is \'^]\'.
%rwhois V-1.5:003fff:00 localhost.localdomain (by Network Solutions, Inc. V-1.5.7-1)
%p%p%p%p <------input
%error 230 No Objects Found
Connection closed by foreign host.
[alert7@redhat62 ]# tail /var/log/messages
Nov 21 13:04:06 redhat62 rwhoisd[27697]: CLIENT:127.0.0.1: query: 0xbffff8b00xbffff7fc0x808def80x806be4c
Nov 21 13:04:06 redhat62 rwhoisd[27697]: CLIENT:127.0.0.1: query response: 0 hits
SOLUTION
Comming soon.