From nobody@FreeBSD.org  Thu Dec 27 02:15:39 2001
Return-Path: <nobody@FreeBSD.org>
Received: from freefall.freebsd.org (freefall.FreeBSD.org [216.136.204.21])
	by hub.freebsd.org (Postfix) with ESMTP id 1791C37B416
	for <freebsd-gnats-submit@FreeBSD.org>; Thu, 27 Dec 2001 02:15:39 -0800 (PST)
Received: (from nobody@localhost)
	by freefall.freebsd.org (8.11.6/8.11.6) id fBRAFdL76122;
	Thu, 27 Dec 2001 02:15:39 -0800 (PST)
	(envelope-from nobody)
Message-Id: <200112271015.fBRAFdL76122@freefall.freebsd.org>
Date: Thu, 27 Dec 2001 02:15:39 -0800 (PST)
From: Christophe Bailleux <cb@t-online.fr>
To: freebsd-gnats-submit@FreeBSD.org
Subject: Buffer Overflow in rwhoisd 
X-Send-Pr-Version: www-1.0

>Number:         33236
>Category:       ports
>Synopsis:       Buffer Overflow in rwhoisd
>Confidential:   no
>Severity:       critical
>Priority:       high
>Responsible:    freebsd-ports
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Thu Dec 27 02:20:01 PST 2001
>Closed-Date:    Thu Dec 27 07:52:05 PST 2001
>Last-Modified:  Thu Dec 27 07:52:39 PST 2001
>Originator:     Christophe Bailleux
>Release:        Freebsd 4.4
>Organization:
Club-internet / T-online France
>Environment:
FreeBSD sandrine.admin.clubint.net 4.4-RELEASE 
FreeBSD 4.4-RELEASE #0: Tue Sep 18 11:57:08 PDT 2001     
murray@builder.FreeBSD.org:/usr/src/sys/compile/GENERIC  i386

>Description:
Buffer overflow in rwhoisd. 
If in rwhoisd.conf, the option use-syslog: YES is enable, it's possbile to
create a buffer overflow and gain a remote shell.
>How-To-Repeat:
In rwhoisd.conf: use-syslog: YES

bash-2.05# telnet localhost 4321
Trying 127.0.0.1...
Connected to localhost.admin.clubint.net.
Escape character is '^]'.
%rwhois V-1.5:003fff:00 sandrine.admin.clubint.net (by Network Solutions, Inc. V-1.5.7)
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

Gdb output:

Attaching to program: /usr/local/lib/rwhois/sbin/rwhoisd, process 15185
Reading symbols from /usr/lib/libwrap.so.3...(no debugging symbols found)...
done.
Reading symbols from /usr/lib/libcrypt.so.2...(no debugging symbols found)...
done.
Reading symbols from /usr/lib/libc.so.4...(no debugging symbols found)...done.
Reading symbols from /usr/libexec/ld-elf.so.1...(no debugging symbols found)...
done.
0x2812efcc in read () from /usr/lib/libc.so.4
(gdb) c
Continuing.

Program received signal SIGSEGV, Segmentation fault.
0x41414141 in ?? ()
(gdb) 

>Fix:
Upgrade the rwhoisd port with the lastest version.
>Release-Note:
>Audit-Trail:
State-Changed-From-To: open->closed 
State-Changed-By: dirk 
State-Changed-When: Thu Dec 27 07:52:05 PST 2001 
State-Changed-Why:  
rwhois upgraded to 1.5.7.3. 

http://www.FreeBSD.org/cgi/query-pr.cgi?pr=33236 
>Unformatted:
