Bugzilla – Bug 64515
VUL-0: CVE-2004-1180: rwhod buffer overflow
Last modified: 2021-10-19 14:01:53 UTC
---------- Forwarded message ---------- From: Vlad902 <vlad902@gmail.com> Date: Thu, 23 Dec 2004 19:09:39 -0800 Subject: netkit-rwhod DoS vulnerability To: netbug@ftp.uk.linux.org I've found that a DoS vulnerability exists in the netkit-rwhod package. rwhod starts two processes, one to listen for connections and another to broadcast messages. It is possible to remotely crash the listener; it is not possible to exploit this vulnerability to execute arbitary code. This vulnerability only occurs on little endian computers because rwhod trusts external input. The anomaly exists in the following code (rwhod.c): cc = recvfrom(sk, (char *)&wd, sizeof(struct whod), 0, (struct sockaddr *)&from, &len); if (cc <= 0) { if (cc < 0 && errno != EINTR) syslog(LOG_WARNING, "recv: %m"); continue; } ... Some checks here ... #if ENDIAN != BIG_ENDIAN { int i, n = (cc - WHDRSIZE)/sizeof(struct whoent); struct whoent *we; /* undo header byte swapping before writing to file */ wd.wd_sendtime = ntohl(wd.wd_sendtime); for (i = 0; i < 3; i++) wd.wd_loadav[i] = ntohl(wd.wd_loadav[i]); wd.wd_boottime = ntohl(wd.wd_boottime); we = wd.wd_we; for (i = 0; i < n; i++) { we->we_idle = ntohl(we->we_idle); we->we_utmp.out_time = ntohl(we->we_utmp.out_time); we++; } } #endif rwhod trusts that the other host sent a packet that is at least of size WHDRSIZE, otherwise the integer will roll over to a negative number, then when the division occurs it will become a very large positive integer causing the second for loop to loop until it reaches the end of the stack. When it reaches the end of the stack it will fault and cause an effective DoS on the listener. A simple "exploit" for this vulnerability would be to send a valid packet of size WHDRSIZE-1. This would cause the receiver to not function any longer. A simple fix for this vulnerability would be to add a check on the 'cc' variable directly after the recvfrom() call (rwhod.c:253). -vlad902 _______________________________________________ Vendor Security mailing list Vendor Security@lst.de https://www.lst.de/cgi-bin/mailman/listinfo/vendor-sec
<!-- SBZ_reproduce --> n/a
the same code is in bsd-rwho which we use for 8.1, sles8 and 8.2. it was dropped for 9.0.
CAN-2004-1180
It's not in SLES8, so submitted for 8.1 and 8.2
released packages.
CVE-2004-1180: CVSS v2 Base Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)