lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <122827b90601201426t13e3a3d4icb4ba9221e4964d4@mail.gmail.com>
Date: Fri, 20 Jan 2006 17:26:05 -0500
From: Stan Bubrouski <stan.bubrouski@...il.com>
To: Florian Weimer <fw@...eb.enyo.de>
Cc: bugtraq@...urityfocus.com, security-announce@...ts.enyo.de
Subject: Re: Digital Armaments Security Advisory 01.16.2006: CMU SNMP utilities snmptrad Format String Vulnerability


On 1/20/06, Florian Weimer <fw@...eb.enyo.de> wrote:
> > III. Detection
> >
> > This problem has been detected and tested on latest versions:
> > snmptrapd from cmu-snmp-linux-3.7 package
> > snmptrapd from cmu-snmp-linux-3.6 package
>
> This seems to be the following code:
>
> int snmp_input(op, session, reqid, pdu, magic)
>     int op;
>     struct snmp_session *session;
>     int reqid;
>     struct snmp_pdu *pdu;
>     void *magic;
> {
>     struct variable_list *vars;
>     char buf[64], sbuf [10240];
>
>     if (op == RECEIVED_MESSAGE && pdu->command == TRP_REQ_MSG){
>         if (Print){
> [...]
>         } else {
> [...]
>           sprintf (sbuf, "%s: %s Trap (%d) Uptime: %s",
>                    inet_ntoa(pdu->agent_addr.sin_addr),
>                    trap_description(pdu->trap_type), pdu->specific_type,
>                    uptime_string(pdu->time, buf));
> [...]
>           for (vars = pdu->variables; vars; vars = vars->next_variable) {
>             /* XXX: check buffer space avail */
>             strcat (sbuf, " ");
>             sprint_variable (sbuf + strlen (sbuf),
>                              vars->name, vars->name_length, vars);
>           }
>           syslog(LOG_WARNING, sbuf);
>         }
> [...]
> }

Way to track it down.

>
> Apparently, this code has not made its way into the UCD-SNMP and
> NET-SNMP source (or the official CMU-SNMP sources).  This means that
> the number of affected systems should be minimal.
>

Well now that is good news...

-sb


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ