lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <4A16B39F.7010401@securityreason.com>
Date: Fri, 22 May 2009 16:15:59 +0200
From: Maksymilian Arciemowicz <cxib@...urityreason.com>
To: full-disclosure@...ts.grok.org.uk
Subject: IPFilter (ippool) 4.1.31 lib/load_http.c buffer
	overflow

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

[ IPFilter (ippool) 4.1.31 lib/load_http.c buffer overflow ]

Author: Maksymilian Arciemowicz
http://SecurityReason.com/

Date:
- - Dis.: 05.03.2009
- - Pub.: 22.05.2009

CVE: CVE-2009-1476
Risk: Low

Original URL:
http://securityreason.com/achievement_securityalert/62

- --- 0.Description ---
IPFilter is a software package that can be used to provide network
address translation (NAT) or firewall services. To use, it can either be
used as a loadable kernel module or incorporated into your UNIX kernel;
use as a loadable kernel module where possible is highly recommended.
Scripts are provided to install and patch system files, as required.

ippool - user interface to the IPFilter pools

Ippool is used to manage information stored in the IP pools subsystem of
IPFilter. Configuration file information may be parsed and loaded into
the kernel, currently configured pools removed or changed as well as
inspected.

- --- 1. IPFilter (ippool) 4.1.31 lib/load_http.c buffer overflow ---
The main problem exist in lib/load_http.c .

Let's see lib/load_http.c ( char buffer[1024] )

- ---
...
alist_t *
load_http(char *url)
{
  int fd, len, left, port, endhdr, removed;
  char *s, *t, *u, buffer[1024], *myurl;
  alist_t *a, *rtop, *rbot;
  struct sockaddr_in sin;
  struct hostent *host;

  /*
   * More than this would just be absurd.
   */
  if (strlen(url) > 512) {
      fprintf(stderr, "load_http has a URL > 512 bytes?!\n");
      return NULL;
  }

  fd = -1;
  rtop = NULL;
  rbot = NULL;

  sprintf(buffer, "GET %s HTTP/1.0\r\n", url);

  myurl = strdup(url);
  if (myurl == NULL)
      goto done;

  s = myurl + 7;            /* http:// */
  t = strchr(s, '/');
  if (t == NULL) {
      fprintf(stderr, "load_http has a malformed URL '%s'\n", url);
      free(myurl);
      return NULL;
  }
  *t++ = '\0';

  u = strchr(s, '@');
  if (u != NULL)
      s = u + 1;        /* AUTH */

  sprintf(buffer + strlen(buffer), "Host: %s\r\n\r\n", s);
...
- ---

0. buffer[] have only 1024 bytes,
1. url can't have more than 512 bytes,
2. url will be copied into buffer here:

sprintf(buffer, "GET %s HTTP/1.0\r\n", url);

and here (s is a host)

sprintf(buffer + strlen(buffer), "Host: %s\r\n\r\n", s);

so if the url have

512 = strlen(http:// A x504 /)

then into buffer will be put

strlen(GET  HTTP/1.0\r\n) = 15
strlen(url) = 512
strlen(Host: \r\n\r\n)= 10
strlen(A x504) = 504

sum = 1041 bytes.

Any use of this function is a potential risk. Programs such as "ippool"
may be at risk.

- --- 2. Fix ---
NetBSD fix:
http://cvsweb.netbsd.org/bsdweb.cgi/src/dist/ipf/lib/load_http.c?only_with_tag=MAIN
- --- 3. Greets ---
Christos Zoulas

sp3x infospec chujwamwdupe pi3 and others

- --- 4. Contact ---
Author: SecurityReason.com [ Maksymilian Arciemowicz ]
Email: cxib [a.t] securityreason [d00t] com
GPG: http://securityreason.com/key/Arciemowicz.Maksymilian.gpg
http://securityreason.com
http://securityreason.pl

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (OpenBSD)

iEUEARECAAYFAkoWwlMACgkQpiCeOKaYa9Z40wCg3EMaEvfUd6w+CC16Xg9LOes8
RWAAmJecg/1hNPWd6z8oAtCHKi1z/B8=
=Ku9/
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ