[3718] in bugtraq
Re: possible lpd remote vulnerability
daemon@ATHENA.MIT.EDU (Evil Erik)
Sat Nov 30 17:08:48 1996
Date: Sat, 30 Nov 1996 12:39:46 -0800
Reply-To: Evil Erik <cyber@dis.org>
From: Evil Erik <cyber@dis.org>
X-To: Yuri Volobuev <volobuev@t1.chem.umn.edu>
To: Multiple recipients of list BUGTRAQ <BUGTRAQ@NETSPACE.ORG>
In-Reply-To: Your message of "Sat, 30 Nov 1996 02:55:46 CST."
<Pine.A41.3.95.961130014312.32704A-100000@t1.chem.umn.edu>
] Howdy,
]
] I was looking through lpd sources and noticed something that can actually be
] a remote vulnerability in lpd, allowing for stack overflow and thus
] arbitrary machine code execution. The piece of code that I'm suspicios
] about is
]
] lpd.c, line 463
] hp = gethostbyaddr((char *)&f->sin_addr,
] sizeof(struct in_addr), f->sin_family);
] if (hp == 0)
] fatal("Host name for your address (%s) unknown",
] inet_ntoa(f->sin_addr));
]
] strcpy(fromb, hp->h_name);
] from = fromb;
<snip>
] after a call to gethostbyaddr() h_name, i.e. hostname of the remote machine,
] is copied first to fromb then to ahost without checking for length.
<snip>
] The code I was looking at was obtained from Debian Linux distribution
] sources, lpd version is 5.19. But I suspect that all lpd's around that are
] derived from BSD lpd have this piece of code, including commercial Unices.
]
] Can somebody confirm this or show that I'm wrong? I can then make a
] summary.
This is from NetBSD-current :
/* $NetBSD: lpd.c,v 1.8 1996/09/21 15:57:22 perry Exp $ */
Earlier version may be fixed, but without CVS access i cant tell.
lpd.c, line 482:
hp = gethostbyaddr((char *)&f->sin_addr,
sizeof(struct in_addr), f->sin_family);
if (hp == NULL)
fatal("Host name for your address (%s) unknown",
inet_ntoa(f->sin_addr));
(void) strncpy(fromb, hp->h_name, sizeof(fromb));
from[sizeof(fromb) - 1] = '\0';
from = fromb;
-=erik.
