snplog-1.0 buffer overflow



     To: BUGTRAQ@NETSPACE.ORG 
     Subject: snplog-1.0 buffer overflow 
     From: Rupert Weber-Henschel <rupert.weber@IBM.NET> 
     Date: Tue, 16 Feb 1999 00:42:49 +0000 
     Approved-By: aleph1@UNDERGROUND.ORG 
     Reply-To: Rupert Weber-Henschel <rupert.weber@IBM.NET> 
     Sender: Bugtraq List <BUGTRAQ@netspace.org> 



There is a possible buffer overflow in snplog-1.0. Or is it 0.1?  The
tar file is 0.1, the docs say 1.0. %)
(snplog contains tcplogd, icmplogd, udplogd)

The offending code is a sscanf() which parses the response of a remote
identd.
In rfc1413.c, around line 80:

            /* minimal parsing, we just want the username */
            sscanf(buf,
                   "%*d , %*d : %*[^ \t\n\r:] : %*[^\t\n\r:] :
%[^\n\r]",
                   ret);

where buf contains up to 512 bytes received from the identd, but ret has
only 64 bytes.

I don't know if this exploitable in terms of root compromise (ret is
malloc'ed, not on the stack), but a quick test made me press the reset
button...

The obvious quick fix is to add a 63 after the last %:
            sscanf(buf,
                   "%*d , %*d : %*[^ \t\n\r:] : %*[^\t\n\r:] :
%63[^\n\r]",
                   ret);

While I still don't like the idea of having a biest like scanf in
critical code at all...

The homepage for snplog is:
        http://www.franken.de/users/gauss/snplog/


The author has been notified, of course.


Cheers,


Rupert



--
Rupert Weber-Henschel
E-Mail: rw@times-square.net
Fax: +49-89-34023886

PGP Public Key: http://www.cip.physik.uni-muenchen.de/~weber