[42371] in bugtraq
Re: Digital Armaments Security Advisory 01.16.2006: CMU SNMP utilities snmptrad Format String Vulnerability
daemon@ATHENA.MIT.EDU (Stan Bubrouski)
Sat Jan 21 22:03:39 2006
Message-ID: <122827b90601201426t13e3a3d4icb4ba9221e4964d4@mail.gmail.com>
Date: Fri, 20 Jan 2006 17:26:05 -0500
From: Stan Bubrouski <stan.bubrouski@gmail.com>
To: Florian Weimer <fw@deneb.enyo.de>
Cc: bugtraq@securityfocus.com, security-announce@lists.enyo.de
In-Reply-To: <87bqy6k4v6.fsf@mid.deneb.enyo.de>
MIME-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
On 1/20/06, Florian Weimer <fw@deneb.enyo.de> wrote:
> > III. Detection
> >
> > This problem has been detected and tested on latest versions:
> > snmptrapd from cmu-snmp-linux-3.7 package
> > snmptrapd from cmu-snmp-linux-3.6 package
>
> This seems to be the following code:
>
> int snmp_input(op, session, reqid, pdu, magic)
> int op;
> struct snmp_session *session;
> int reqid;
> struct snmp_pdu *pdu;
> void *magic;
> {
> struct variable_list *vars;
> char buf[64], sbuf [10240];
>
> if (op == RECEIVED_MESSAGE && pdu->command == TRP_REQ_MSG){
> if (Print){
> [...]
> } else {
> [...]
> sprintf (sbuf, "%s: %s Trap (%d) Uptime: %s",
> inet_ntoa(pdu->agent_addr.sin_addr),
> trap_description(pdu->trap_type), pdu->specific_type,
> uptime_string(pdu->time, buf));
> [...]
> for (vars = pdu->variables; vars; vars = vars->next_variable) {
> /* XXX: check buffer space avail */
> strcat (sbuf, " ");
> sprint_variable (sbuf + strlen (sbuf),
> vars->name, vars->name_length, vars);
> }
> syslog(LOG_WARNING, sbuf);
> }
> [...]
> }
Way to track it down.
>
> Apparently, this code has not made its way into the UCD-SNMP and
> NET-SNMP source (or the official CMU-SNMP sources). This means that
> the number of affected systems should be minimal.
>
Well now that is good news...
-sb
