SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Generic)  >   Net-snmp Vendors:   [Multiple Authors/Vendors]
Net-snmp (formerly ucd-snmp) File Name Buffer Overflow Lets Local Users Execute Arbitrary Code
SecurityTracker Alert ID:  1002142
SecurityTracker URL:  http://securitytracker.com/id/1002142
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Aug 4 2001
Impact:   Execution of arbitrary code via local system, User access via local system

Version(s): 4.2.1
Description:   A vulnerability was reported in the SNMP daemon in the net-snmp distribution (formerly known as ucd-snmp). The security hole allows local users to execute arbitrary code on the host.

It is reported that when snmpd is launched by a local user with a long file name specified, a buffer overflow will be triggered. The following type of command arguments will trigger the overflow:

" -l AAAAAAAA....[455 char s]"

It is reported that on line 306 of snmpd.c, the following variable is defined:

char logfile[SNMP_MAXBUF_SMALL];

The value SNMP_MAXBUF_SMALL is reportedly defined in tools.h as a 512k buffer.

Then, on line 321 of snmpd.c, the following offending command results in the overflow:

strcpy(logfile, LOGFILE);

Impact:   A local user can execute arbitrary code on the host. If the snmpd is configured with set user id (suid) privileges, the local user could obtain elevated privileges.
Solution:   No solution was available at the time of this entry.
Vendor URL:  net-snmp.sourceforge.net/ (Links to External Site)
Cause:   Boundary error
Underlying OS:  Linux (Any), UNIX (Any)

Message History:   This archive entry has one or more follow-up message(s) listed below.
(Caldera Issues Fix) Net-snmp (formerly ucd-snmp) File Name Buffer Overflow Lets Local Users Execute Arbitrary Code
The vendor has released a fix.



 Source Message Contents

Subject:  snmpd log files long names problems


recently i was using the new rats release and looking the snmpd.c
from ucd-snmp-4.2.1 y look this problem:

when take the -l argument and strcpy to logfile, small buffer = core dump.



 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC