Intro:
rarpd is a reverse arp protocol for small to medium sized networks.
in the solaris implementation (in.rarpd) there seems to be 3 remotely
exploitable buffer overflows, 2 locally exploitable and 2 cases of format
string exploitability.
Details:
In the functions error and syserr (syserr also being used by other in.*
implmentations which are also exploitable, but not the topic of this
advisory today) there contains 2 common syslog calls without format strings.
static void
syserr(s)
char *s;
{
char buf[256];
(void) sprintf(buf, "%s: %s", s, strerror(errno));
(void) fprintf(stderr, "%s: %s\n", cmdname, buf);
syslog(LOG_ERR, buf);
exit(1);
}
/* VARARGS1 */
static void
error(char *fmt, ...)
{
char buf[256];
va_list ap;
va_start(ap, fmt);
(void) vsprintf(buf, fmt, ap);
va_end(ap);
(void) fprintf(stderr, "%s: %s\n", cmdname, buf);
syslog(LOG_ERR, buf);
exit(1);
}
there are two vulnerable calls which could be exploited locally or remotely.
vendor notification: nope
a working exploit has been created for the remote buffer overflows but not
this time, not here.
DER systems
_________________________________________________________________
Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp.
