[8677] in bugtraq
Re: bootpd remote vulnerability
daemon@ATHENA.MIT.EDU (John McDonald)
Mon Dec 7 13:16:53 1998
Date: Mon, 7 Dec 1998 09:43:42 -0500
Reply-To: Bugtraq List <BUGTRAQ@NETSPACE.ORG>
From: John McDonald <jmcdonal@UNF.EDU>
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: <3668EBE4.DD64EC68@cse.ogi.edu>
On Sat, 5 Dec 1998, Crispin Cowan wrote:
> Is Linux not vulnerable for some systemic reason, or because the distributed
> bootp doesn't have the vulnerability?
>
> Thanks,
> Crispin
I looked at Linux a while ago, so this is a somewhat vague memory. I
believe I looked at a stable debian release (non-glibc), an older
slackware version, freebsd 2.2.5, and freebsd 2.2.2. I apologize for my
lack of memory.
Anyway, I believe in all of these systems, the vulnerability was present,
but it was not exploitable. The values in memory after the hwinfolist
table were either too small to overwrite enough of the stack, or so large
that they caused a seg fault. I remember there were some appropriate
values in some cases, but they were over 255, and the value in memory that
would correspond with their description was not a valid deferencable
pointer. Thus, the warning that bootpd prints out would cause a bus error.
horizon
