Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
|
|
|
|
|
|
|
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
|
|
|
|
Become a Partner and License Our Database or Notification Service
|
|
|
|
|
|
|
|
|
|
|
|
|
GNU Whois Local Buffer Overflow May Present a Remote-Based Vulnerability When Called By Web Applications
|
|
SecurityTracker Alert ID: 1007562 |
|
SecurityTracker URL: http://securitytracker.com/id/1007562
|
|
CVE Reference:
GENERIC-MAP-NOMATCH
(Links to External Site)
|
Date: Aug 25 2003
|
Impact:
Execution of arbitrary code via network, User access via network
|
|
Version(s): 4.6.6 and prior versions
|
Description:
Zone-h reported a buffer overflow in the GNU Whois client software. Web-based applications that call whois may allow a remote user to execute arbitrary code. The impact depends on how the application invokes or integrates the whois client software.
It is reported that setting a specially crafted value for the host name when calling whois with the '-g' command line option can trigger a buffer overflow.
A demonstration (local) exploit is provided:
astharot@astharot <mailto:astharot@astharot> astharot $ whois -g `perl -e "print 'a'x2000"`
When whois is used as a standalone application, the buffer overflow allows a local user to execute arbitrary code with the privileges of the local user [which by itself is, of course, not a security concern]. However, it is reported that some web-based applications invoke whois, which may allow a remote user to execute arbitrary code with the privileges of the web server. The specific impact depends on the application that invokes whois.
|
Impact:
If whois is invoked by a web-based (or other remote) application, a remote user may be able to execute arbitrary code on the system.
|
Solution:
No solution was available at the time of this entry.
The author of the report has indicated that as a workaround, you can edit the following line in the 'whois.c' file:
sprintf(p--, "-%c %s ", ch, optarg);
Replace the above line with:
snprintf(p--, sizeof(fstring), "-%c %s ", ch, optarg);
|
Vendor URL: www.gnu.org/directory/whois.html (Links to External Site)
|
Cause:
Boundary error
|
Underlying OS:
Linux (Any), UNIX (Any)
|
|
Message History:
None.
|
Source Message Contents
|
Date: Fri, 22 Aug 2003 20:38:08 +0200
Subject: ZH2003-25SA (security advisory): buffer overflow in whois client
|
08/22/2003
ZH2003-25SA (security advisory): buffer overflow in whois client
Published: 22 august 2003
Released: 22 august 2003
Name: whois client
Affected Systems: all versions
Issue: Remote attacker can obtain remote access with the webserver
privileges
Author: astharot@zone-h.org <mailto:astharot@zone-h.org>
Vendor: http://www.linux.org
Description
***********
Zone-h Security Team has discovered a buffer overflow vulnerability in
whois client (all versions). whois client is a client to query the whois
servers, collecting data about internet domains.
Details
*******
By default, the whois client is not set uid, so the bug is not
exploitable locally. But there are a lot of cgi scripts in php/perl that
use whois client, so it's possible to gain remote access to the server
with webserver privileges.
To test the buffer overflow:
astharot@astharot <mailto:astharot@astharot> astharot $ whois -g `perl
-e "print 'a'x2000"`
Segmentation fault
Solution:
*********
This is a simple workaround. In the file whois.c find the line
sprintf(p--, "-%c %s ", ch, optarg);
and replace it with
snprintf(p--, sizeof(fstring), "-%c %s ", ch, optarg);
Suggestions:
************
Patch the whois client with the workaround proposed.
Astharot - www.zone-h.org <http://www.zone-h.org> admin
original advisory
http://www.zone-h.org/en/advisories/read/id=2925/
|
|
Go to the Top of This SecurityTracker Archive Page
|
