From proff@profane.iq.org  Sat Jan 25 17:58:58 1997
Received: from profane.iq.org (profane.iq.org [203.4.184.217])
          by freefall.freebsd.org (8.8.5/8.8.5) with ESMTP id RAA08972;
          Sat, 25 Jan 1997 17:58:34 -0800 (PST)
Received: (from proff@localhost)
          by profane.iq.org (8.8.4/8.8.2) id MAA15341;
          Sun, 26 Jan 1997 12:58:44 +1100 (EST)
Message-Id: <199701260158.MAA15341@profane.iq.org>
Date: Sun, 26 Jan 1997 12:58:44 +1100 (EST)
From: Julian Assange <proff@iq.org>
Reply-To: proff@iq.org
To: FreeBSD-gnats-submit@freebsd.org, dyson@freebsd.org
Subject: [possible] remote root exploit in rlogind
X-Send-Pr-Version: 3.2

>Number:         2588
>Category:       bin
>Synopsis:       [possible] remote root exploit in rlogind
>Confidential:   no
>Severity:       critical
>Priority:       high
>Responsible:    imp
>State:          closed
>Quarter:
>Keywords:
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Sat Jan 25 18:00:01 PST 1997
>Closed-Date:    Sun Mar 23 23:01:50 MST 1997
>Last-Modified:  Sun Mar 23 23:02:31 MST 1997
>Originator:     Julian Assange
>Release:        FreeBSD 3.0-CURRENT i386
>Organization:
>Environment:

	

>Description:

	rlogind trusts dns information, and blindly strcpy's the
	returned remote hostname onto the stack. this many or may
	not be a problem, depending on the resolver library. the
	stack buffer is 512 bytes and the resolver library may
	limit fqdn size to this or less. Some proprietry (non-FreeBSD)
	resolver's are definately vulnerable, and the resolver
	routines are very complex, so we had better play it safe.
	Further, as time goes by, no doubt we will see another round
	of elite bug ware from vixie.

	

>How-To-Repeat:

	

>Fix:
	
	

--- src/libexec/rlogind/rlogind.c~	Sun Jan 26 12:40:34 1997
+++ src/libexec/rlogind/rlogind.c	Sun Jan 26 12:40:34 1997
@@ -226,9 +226,10 @@
 	fromp->sin_port = ntohs((u_short)fromp->sin_port);
 	hp = gethostbyaddr((char *)&fromp->sin_addr, sizeof(struct in_addr),
 	    fromp->sin_family);
-	if (hp)
-		(void)strcpy(hostname, hp->h_name);
-	else
+	if (hp) {
+		(void)strncpy(hostname, hp->h_name, sizeof hostname);
+		hostname[sizeof(hostname)-1] = '\0';
+	} else
 		(void)strcpy(hostname, inet_ntoa(fromp->sin_addr));
 
 #ifdef	KERBEROS
>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: gnats-admin->freebsd-bugs 
Responsible-Changed-By: mpp 
Responsible-Changed-When: Sat Jan 25 23:16:32 PST 1997 
Responsible-Changed-Why:  
Misfiled PR. 
Responsible-Changed-From-To: freebsd-bugs->imp 
Responsible-Changed-By: imp 
Responsible-Changed-When: Sat Feb 8 23:44:45 MST 1997 
Responsible-Changed-Why:  
I'll fix this now. 
State-Changed-From-To: open->closed 
State-Changed-By: imp 
State-Changed-When: Sun Mar 23 23:01:50 MST 1997 
State-Changed-Why:  

rlogind.c 1.16 fixes this. 
>Unformatted:
