SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Generic)  >   in.rarpd Vendors:   Caldera/SCO, Sun
UNIX 'in.rarpd' Reverse ARP Protocol Daemon May Let Local and Remote Users Gain Root Access on the System
SecurityTracker Alert ID:  1004351
SecurityTracker URL:  http://securitytracker.com/id/1004351
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Updated:  Jun 25 2002
Original Entry Date:  May 22 2002
Impact:   Execution of arbitrary code via local system, Execution of arbitrary code via network, Root access via local system, Root access via network


Description:   Several vulnerabilities were reported in the 'in.rarpd' reverse ARP protocol implementation for Sun Solaris and Caldera/SCO UnixWare/Open UNIX (and possibly other UNIX-based systems). A remote or local user can gain root level access on the system.

It is reported that 'in.rarpd' contains three remotely exploitable buffer overflows, two locally exploitable buffer overflows, and two format string flaws.

Regarding the format string bugs, the error() and syserr() functions make syslog() calls based on user-supplied information without supplying the required format strings. As a result, a user can supply a malicious string (for the 'cmdname' variable) containing format string specifiers to cause arbitrary code to be executed by the in.rarpd daemon. The report indicates that these calls can be exploited by remote or local users.

No further details were provided.

[Editor's note: The original report only mentions Sun Solaris. However, Caldera/SCO has confirmed that UnixWare and Open UNIX are also vulnerable. On this basis, it is plausible that other UNIX-based systems are affected.]

Impact:   A remote or local user may be able to execute arbitrary code on the system to gain root access on the system.
Solution:   No solution was available at the time of this entry.
Cause:   Boundary error, Input validation error
Underlying OS:  UNIX (Open UNIX-SCO), UNIX (Solaris - SunOS)

Message History:   This archive entry has one or more follow-up message(s) listed below.
(Caldera Issues Fix for UnixWare/Open UNIX) Re: UNIX 'in.rarpd' Reverse ARP Protocol Daemon May Let Local and Remote Users Gain Root Access on the System
Caldera has released fixed packages for UnixWare and Open UNIX.



 Source Message Contents

Subject:  [VulnWatch] [DER Adv #7] - Multiple Vulnerabilities in solaris in.rarpd


Intro:
rarpd is a reverse arp protocol for small to medium sized networks.
in the solaris implementation (in.rarpd) there seems to be 3 remotely 
exploitable buffer overflows, 2 locally exploitable and 2 cases of format 
string exploitability.

Details:
In the functions error and syserr (syserr also being used by other in.* 
implmentations which are also exploitable, but not the topic of this 
advisory today) there contains 2 common syslog calls without format strings.

static void
syserr(s)
char    *s;
{
        char buf[256];

        (void) sprintf(buf, "%s: %s", s, strerror(errno));
        (void) fprintf(stderr, "%s:  %s\n", cmdname, buf);
        syslog(LOG_ERR, buf);
        exit(1);
}

/* VARARGS1 */
static void
error(char *fmt, ...)
{
        char buf[256];
        va_list ap;

        va_start(ap, fmt);
        (void) vsprintf(buf, fmt, ap);
        va_end(ap);
        (void) fprintf(stderr, "%s:  %s\n", cmdname, buf);
        syslog(LOG_ERR, buf);
        exit(1);
}

there are two vulnerable calls which could be exploited locally or remotely.

vendor notification: nope

a working exploit has been created for the remote buffer overflows but not 
this time, not here.

DER systems

_________________________________________________________________
Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp.



 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2020, SecurityGlobal.net LLC