linux, säkerhet

4784712 2000-02-10  21:45  /171 rader/ Postmaster
Mottagare: Bugtraq (import) <9739>
Ärende: Re: application proxies?
------------------------------------------------------------
Approved-By: aleph1@SECURITYFOCUS.COM
Delivered-To: bugtraq@lists.securityfocus.com
Delivered-To: bugtraq@securityfocus.com
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Message-ID:  <Pine.BSF.4.10.10002100058420.43483-100000@hydrant.intranova.net>
Date:         Thu, 10 Feb 2000 00:59:49 -0500
Reply-To: Omachonu Ogali <oogali@INTRANOVA.NET>
Sender: Bugtraq List <BUGTRAQ@SECURITYFOCUS.COM>
From: Omachonu Ogali <oogali@INTRANOVA.NET>
X-To:         freebsd-security@freebsd.org
X-cc:         bugtraq@securityfocus.com
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To:  <200002090909.KAA00508@CoDe.hu>

DO NOT USE DELEGATE.  Here are some of my findings with delegate, and
I'm still not done yet.

-- snip --
Delegate Problems
=================

Start of access.c:

* Line 41 defines a fixed-length variable (authority - 1024 bytes).
  - scan_AUTH() does no bound checking and blindly uses strcat() to append
    to the variable.

* Line 57 defines a fixed-length variable (xauth - 1024 bytes).
  - findAuth() does no bounds checking and blindly passes all three
    variables to sprintf().

* Line 66 calls sprintf() again to output into a fixed-length variable
  (xauth - 1024 bytes).

* Line 74 defines a fixed-length variable (userhost - 256 bytes).
  - auth_manager() does no bound checking and blindly passes two variables
    to sprintf() with no bounds checking.

* Line 87 defines a fixed-length variable (auth - 256 bytes).
  - auth_anonftp() does no bounds checking and blindly passes the
    anonymous FTP password to sprintf().

* Line 116 defines a fixed-length variable (hostb - 256 bytes).
  - NotifyPlatform() calls getClientHostPort() which calls
    getClientHostPortAddr() blindly copies (strcpy) the address passed
    from NotifyPlatform into a 32-byte buffer defined in the 'Connection'
    structure.

* Line 145 defines a fixed-length variable (myuri - 256 bytes).
  - clientIF_HP() calls _clientIF() which blindly outputs (sprintf) the
    host and port information into the variable 'myuri' after receiving
    its data from 'myhp'.

* Line 145 defines a fixed-length variable (client - 256 bytes).
  - makeForwarded() calls getClientHostPort() which calls
    getClientHostPortAddr() which blindly copies (strcpy) the address
    passed from NotifyPlatform into a 32-byte buffer defined in the
    'Connection' structure.

* Line 146 defines a fixed-length variable (myhp - 256 bytes).
  - clientIF_HP() calls _clientIF() which returns data that is not
    bound-checked into the variable 'myhp' for latter consumption by
    sprintf().

* Line 168 defines a fixed-length variable (atype - 128 bytes).
  - makeAuthorization() calls sscanf() to retrieve arguments and cannot
    bound check the data resulting in a buffer overrun.

* Line 168 defines a fixed-length variable (afmt - 128 bytes).
  - makeAuthorization() calls sscanf() to retrieve arguments and cannot
    bound check the data resulting in a buffer overrun.

* Line 169 defines a fixed-length variable (gauth - 256 bytes).
  - makeAuthorization() calls strfConn() to return the protocol desired
    into 'gauth', and two more strings are appended (strcat) without
    bounds checking.

* Line 169 defines a fixed-length variable (eauth - 256 bytes).
  - makeAuthorization() calls str_to64() specifying the size as eauth as
    512 bytes instead of 256 bytes.

* Line 215 defines a fixed-length variable (host - 256 bytes).
  - makeClientLog() does not perform bound checking on the results
    returned by strfConn() allowing for a buffer overrun.

* Line 215 defines a fixed-length variable (iuser - 256 bytes).
  - makeClientLog() does not perform bound checking on the results
    returned by strfConn() allowing for a buffer overrun.

* Line 215 defines a fixed-length variable (auser - 256 bytes).
  - makeClientLog() does not perform bound checking on the results
    returned by strfConn() allowing for a buffer overrun.

* Line 320 uses strcpy() blindly.
  - No bounds checking is performed before copying 'clhost' into Client_Addr
    which is the 32-byte fixed-length variable 'cl_Addr' in the structure
    Connection defined in delegate.h.

* Line 321 uses strcpy() blindly.
  - No bounds checking is performed before copying 'clhost' into Client_Addr
    which is the 128-byte fixed-length variable 'cl_Host' in the structure
    Connection defined in delegate.h.

* Line 429 defines a fixed-length variable (buf - 1024 bytes).
  - scanIdent() does not perform bounds checking on the variable passed
    and blindly copies it (strcpy) into 'buf'. Allows an attacker to
    create their own identd trojan/daemon and pass arbitrary code.

* Line 449 defines a fixed-length variable (addrhostport - 256 bytes).
  - getClientHostPortAddr() does not perform bounds checking on the
    results returned from getpeerName(). Allows an attacker to create
    their own fake DNS reply and pass arbitrary code.

* Line 449 defines a fixed-length variable (addr - 256 bytes).
  - Suffers from insufficient bounds checking on the result returned by
    getpeerName() and receives data from sscanf().

* Line 449 defines a fixed-length variable (host - 256 bytes).
  - Suffers from insufficient bounds checking on the result returned by
    getpeerName() and receives data from sscanf().

* Line 456 uses strcpy() blindly.
  - No bounds checking is performed before copying 'addr' into Client_Addr
    which is the 32-byte fixed-length variable 'cl_Addr' in the structure
    Connection defined in delegate.h.

* Line 457 uses strcpy() blindly.
  - No bounds checking is performed before copying 'host' into Client_Addr
    which is the 128-byte fixed-length variable 'cl_Host' in the structure
    Connection defined in delegate.h.

* Line 528 defines a fixed-length variable (host - 1024 bytes).
  - No bounds checking is performed on 'hostport' before its blindly
    passed into 'host' by sscanf().

* Line 549 defines a fixed-length variable (user - 128 bytes).
  - A fixed-length variable is passed to getClientUser0() and it suffers
    from insufficient bounds checking noted on line 429.

* Line 584 defines a fixed-length variable (host - 256 bytes).
-- snip --

On Wed, 9 Feb 2000, Zahemszky Gabor wrote:

> > Hello,
> >
> > I'm preparing an article on FreeBSD firewall tools.  So far I plan to
> > cover ipfw & natd, ipfilter & ipnat, fwtk, kern.securelevel, and
> > mention snort and nessus as a sideline.
> >
> > I'd like to present as many applications as possible.  The major lack
> > I see is a choice of application-level proxies such as fwtk.  Are there
> > some I'm not aware of?
>
> If I remember well, delegate is another proxy (but somebody pointed out,
> that there are so many unsafe - strcpy/etc - functions in it).
>
> ZGabor at CoDe dot HU
>
> --
> #!/bin/ksh
> Z='21N16I25C25E30, 40M30E33E25T15U!' ;IFS=' ABCDEFGHIJKLMNOPQRSTUVWXYZ ';set $Z ;for i { [[ $i = ? ]]&&print $i&&break;[[ $i = ??? ]]&&j=$i&&i=${i%?};typeset -i40 i=8#$i;print -n ${i#???};[[ "$j" = ??? ]]&&print -n "${j#??} "&&j=;typeset +i i;};IFS=' 0123456789 ';set $Z;X=;for i { [[ $i = , ]]&&i=2;[[ $i = ?? ]]||typeset -l i;X="$X $i";typeset +l i;};print "$X"
>
>
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-security" in the body of the message
>

Omachonu Ogali
Intranova Networking Group
(4784712) ------------------------------------------(Ombruten)