Multiple Vulnerabilities in solaris in.rarpd

From: David Foster (foster@dim.ucsd.edu)
Date: Wed May 22 2002 - 14:39:15 EDT

• Next message: Badinter, George: "Strange LVD Symbois problems."
• Previous message: Ed Sanborn: "Anyone using Symantex Ghost to clone Solaris systems?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Just saw this advisory for in.rarpd, claims of local and remote
vulnerabilities.

So my question is, can this be disabled? The daemon is only
running on two of our systems, one is a SunRay server and the
other is our NIS master, and I can't afford to break either.
A preliminary search for information hasn't yielded anything useful,
and I'd like to resolve this asap if you know what I mean.

Thanks.

Dave Foster

> Mailing-List: contact bugtraq-help@securityfocus.com; run by ezmlm
> X-Originating-IP: [144.134.252.220]
> From: "david evlis reign" <davidreign@hotmail.com>
> To: bugtraq@securityfocus.com, vulnwatch@vulnwatch.org
> Subject: [DER Adv #7] - Multiple Vulnerabilities in solaris in.rarpd
> Date: Wed, 22 May 2002 02:06:43 +0000
> Mime-Version: 1.0
>
> Intro:
> rarpd is a reverse arp protocol for small to medium sized networks.
> in the solaris implementation (in.rarpd) there seems to be 3 remotely
> exploitable buffer overflows, 2 locally exploitable and 2 cases of format
> string exploitability.
>
> Details:
> In the functions error and syserr (syserr also being used by other in.*
> implmentations which are also exploitable, but not the topic of this
> advisory today) there contains 2 common syslog calls without format strings.
>
> static void
> syserr(s)
> char *s;
> {
> char buf[256];
>
> (void) sprintf(buf, "%s: %s", s, strerror(errno));
> (void) fprintf(stderr, "%s: %s\n", cmdname, buf);
> syslog(LOG_ERR, buf);
> exit(1);
> }
>
> /* VARARGS1 */
> static void
> error(char *fmt, ...)
> {
> char buf[256];
> va_list ap;
>
> va_start(ap, fmt);
> (void) vsprintf(buf, fmt, ap);
> va_end(ap);
> (void) fprintf(stderr, "%s: %s\n", cmdname, buf);
> syslog(LOG_ERR, buf);
> exit(1);
> }
>
> there are two vulnerable calls which could be exploited locally or remotely.
>
> vendor notification: nope
>
> a working exploit has been created for the remote buffer overflows but not
> this time, not here.
>
> DER systems
   << All opinions expressed are mine, not the University's >>

  =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
   David Foster National Center for Microscopy and Imaging Research
    Programmer/Analyst University of California, San Diego
    dfoster@ucsd.edu Department of Neuroscience, Mail 0608
    (858) 534-7968 http://ncmir.ucsd.edu/
  =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

   "The reasonable man adapts himself to the world; the unreasonable one
   persists in trying to adapt the world to himself. Therefore, all progress
   depends on the unreasonable." -- George Bernard Shaw
_______________________________________________
sunmanagers mailing list
sunmanagers@sunmanagers.org
http://www.sunmanagers.org/mailman/listinfo/sunmanagers

• Next message: Badinter, George: "Strange LVD Symbois problems."
• Previous message: Ed Sanborn: "Anyone using Symantex Ghost to clone Solaris systems?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Wed Apr 09 2008 - 23:24:21 EDT