[42352] in bugtraq
Re: Digital Armaments Security Advisory 01.16.2006: CMU SNMP utilities snmptrad Format String Vulnerability
daemon@ATHENA.MIT.EDU (Florian Weimer)
Fri Jan 20 17:21:13 2006
From: Florian Weimer <fw@deneb.enyo.de>
To: bugtraq@securityfocus.com
Cc: security-announce@lists.enyo.de
Date: Fri, 20 Jan 2006 21:43:09 +0100
In-Reply-To: <20060116150825.2751.qmail@securityfocus.com>
(info@digitalarmaments.com's message of "16 Jan 2006 15:08:25 -0000")
Message-ID: <87bqy6k4v6.fsf@mid.deneb.enyo.de>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
> III. Detection
>
> This problem has been detected and tested on latest versions:
> snmptrapd from cmu-snmp-linux-3.7 package
> snmptrapd from cmu-snmp-linux-3.6 package
This seems to be the following code:
int snmp_input(op, session, reqid, pdu, magic)
int op;
struct snmp_session *session;
int reqid;
struct snmp_pdu *pdu;
void *magic;
{
struct variable_list *vars;
char buf[64], sbuf [10240];
if (op == RECEIVED_MESSAGE && pdu->command == TRP_REQ_MSG){
if (Print){
[...]
} else {
[...]
sprintf (sbuf, "%s: %s Trap (%d) Uptime: %s",
inet_ntoa(pdu->agent_addr.sin_addr),
trap_description(pdu->trap_type), pdu->specific_type,
uptime_string(pdu->time, buf));
[...]
for (vars = pdu->variables; vars; vars = vars->next_variable) {
/* XXX: check buffer space avail */
strcat (sbuf, " ");
sprint_variable (sbuf + strlen (sbuf),
vars->name, vars->name_length, vars);
}
syslog(LOG_WARNING, sbuf);
}
[...]
}
Apparently, this code has not made its way into the UCD-SNMP and
NET-SNMP source (or the official CMU-SNMP sources). This means that
the number of affected systems should be minimal.
