From proff@profane.iq.org  Sat Jan 25 05:35:53 1997
Received: from profane.iq.org (profane.iq.org [203.4.184.217])
          by freefall.freebsd.org (8.8.5/8.8.5) with ESMTP id FAA02669;
          Sat, 25 Jan 1997 05:35:42 -0800 (PST)
Received: (from proff@localhost)
          by profane.iq.org (8.8.4/8.8.2) id AAA12017;
          Sun, 26 Jan 1997 00:36:00 +1100 (EST)
Message-Id: <199701251336.AAA12017@profane.iq.org>
Date: Sun, 26 Jan 1997 00:36:00 +1100 (EST)
From: Julian Assange <proff@iq.org>
Reply-To: proff@iq.org
To: FreeBSD-gnats-submit@freebsd.org, dyson@freebsd.org
Subject: rlogin (kcmd.c) root-level, local+remote (passive) security hole
X-Send-Pr-Version: 3.2

>Number:         2577
>Category:       bin
>Synopsis:       rlogin (kcmd.c) root-level, local+remote (passive) security hole
>Confidential:   no
>Severity:       critical
>Priority:       high
>Responsible:    markm
>State:          closed
>Quarter:
>Keywords:
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Sat Jan 25 05:40:01 PST 1997
>Closed-Date:    Sun Feb 9 13:34:43 PST 1997
>Last-Modified:  Sun Feb  9 13:36:22 PST 1997
>Originator:     Julian Assange
>Release:        FreeBSD 3.0-CURRENT i386
>Organization:
>Environment:

	

	rlogin compiled with EBONES/kerberos on

>Description:

	

	by forging dns information kcmd.c is exploitable


>How-To-Repeat:

	

>Fix:
	
	

	apply following patch; also fixes an unchecked malloc()



--- src/usr.bin/rlogin/kcmd.c.orig	Sun Jan 26 00:26:44 1997
+++ src/usr.bin/rlogin/kcmd.c	Sun Jan 26 00:26:48 1997
@@ -106,7 +106,11 @@
 		return (-1);
 	}
 
-	host_save = malloc(strlen(hp->h_name) + 1);
+	if (!(host_save = malloc(strlen(hp->h_name) + 1))) {
+		perror("malloc");
+		return -1;
+	}
+
 	strcpy(host_save, hp->h_name);
 	*ahost = host_save;
 
@@ -131,9 +135,9 @@
 		fcntl(s, F_SETOWN, pid);
 		sin.sin_family = hp->h_addrtype;
 #if defined(ultrix) || defined(sun)
-		bcopy(hp->h_addr, (caddr_t)&sin.sin_addr, hp->h_length);
+		bcopy(hp->h_addr, (caddr_t)&sin.sin_addr, sizeof sin.sin_addr);
 #else
-		bcopy(hp->h_addr_list[0], (caddr_t)&sin.sin_addr, hp->h_length);
+		bcopy(hp->h_addr_list[0], (caddr_t)&sin.sin_addr, sizeof sin.sin_addr);
 #endif
 		sin.sin_port = rport;
 		if (connect(s, (struct sockaddr *)&sin, sizeof(sin)) >= 0)
@@ -162,7 +166,7 @@
 			perror(NULL);
 			hp->h_addr_list++;
 			bcopy(hp->h_addr_list[0], (caddr_t)&sin.sin_addr,
-			    hp->h_length);
+			    sizeof sin.sin_addr);
 			fprintf(stderr, "Trying %s...\n",
 				inet_ntoa(sin.sin_addr));
 			continue;
>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: gnats-admin->freebsd-bugs 
Responsible-Changed-By: mpp 
Responsible-Changed-When: Sat Jan 25 23:01:51 PST 1997 
Responsible-Changed-Why:  
Misfiled PR. 
Responsible-Changed-From-To: freebsd-bugs->markm 
Responsible-Changed-By: markm 
Responsible-Changed-When: Sat Jan 25 23:27:29 PST 1997 
Responsible-Changed-Why:  
eBones is my turf. 
State-Changed-From-To: open->closed 
State-Changed-By: markm 
State-Changed-When: Sun Feb 9 13:34:43 PST 1997 
State-Changed-Why:  
Suggested fix applied. Thanks! 
>Unformatted:
