lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
From: Ulf.Harnhammar.9485 at student.uu.se (Ulf Härnhammar)
Subject: ez-ipupdate format string bug

* ez-ipupdate format string bug *

"ez-ipupdate is a quite complete client for the dynamic DNS service offered
by http://www.ez-ip.net/ and many more. Currently supported are: ez-ip
[..] , Penguinpowered [..] , DHS [..] , dynDNS [..] , ODS [..] , TZO [..] ,
EasyDNS [..] , Justlinux [..] , Dyns [..] , HN [..] , ZoneEdit [..] and
Hurricane Electric's IPv6 Tunnel Broker [..]. All services using GNUDip are
also supported."

(from packages.debian.org)

I have found a format string bug in ez-ipupdate. It affects at least the
versions 3.0.11b8, 3.0.11b7, 3.0.11b6, 3.0.11b5 and 3.0.10. It doesn't affect
2.9.6. The vulnerability has the identifier CAN-2004-0980.

The format string bug allows a malicious remote server to execute arbitrary
code on the machine running ez-ipupdate, if and only if daemon mode is on
(very common) and certain service types are used. I have attached a trivial
patch (against 3.0.11b8) that corrects this problem.

It proved to be impossible to contact upstream, as all his e-mail addresses
bounced. The Linux and *BSD vendors that distribute ez-ipupdate have been
contacted, but so far only Mandrakelinux and SUSE Linux have published
patched versions.

// Ulf Harnhammar                  http://www.advogato.org/person/metaur/
   for the
   Debian Security Audit Project   http://www.debian.org/security/audit/

-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: ez-ipupdate.formstring.patch
Url: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20041111/99f0c54f/ez-ipupdate.formstring.ksh

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ