8289573 2002-04-15 13:15 +0200  /42 rader/ Spybreak <spybreak@host.sk>
Sänt av: joel@lysator.liu.se
Importerad: 2002-04-15  17:38  av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Extern kopiemottagare: vulnwatch@vulnwatch.org
Mottagare: Bugtraq (import) <21832>
Ärende: Remote buffer overflow in Webalizer
------------------------------------------------------------
From: "Spybreak" <spybreak@host.sk>
To: bugtraq@securityfocus.com
Cc: vulnwatch@vulnwatch.org
Message-ID: <20020415131547.M31014@host.sk>

Release  : April 15 2002
Author   : Spybreak (spybreak@host.sk)
Software : Webalizer
Version  : 2.01-09, 2.01-06
URL      : http://www.mrunix.net/webalizer/
Status   : vendor contacted
Problems : remote buffer overflow




--- INTRO ---

The Webalizer is a web server log file analysis program
which produces usage statistics in HTML format for
viewing with a browser.  The results are presented in both
columnar and  graphical format, which facilitates
interpretation.

Webalizer 2.01-06 is a part of the Red Hat Linux 7.2
distribution, enabled by default and run daily by the cron
daemon.


--- PROBLEM ---

The webalizer has the ability to perform reverse DNS lookups.
This ability is disabled by default, but if enabled, an
attacker with command over his own DNS service, has the
ability to gain remote root acces to a machine, due to a remote
buffer overflow in the reverse resolving code.


Public key:
http://spybreak.host.sk
(8289573) /Spybreak <spybreak@host.sk>/-------------
8299221 2002-04-15 22:59 +0000  /50 rader/ Franck Coppola <franck@hosting42.com>
Sänt av: joel@lysator.liu.se
Importerad: 2002-04-17  08:47  av Brevbäraren
Extern mottagare: Spybreak <spybreak@host.sk>
Extern kopiemottagare: bugtraq@securityfocus.com
Extern kopiemottagare: vulnwatch@vulnwatch.org
Extern kopiemottagare: brad@mrunix.net
Mottagare: Bugtraq (import) <21884>
Kommentar till text 8289573 av Spybreak <spybreak@host.sk>
Ärende: Re: Remote buffer overflow in Webalizer
------------------------------------------------------------
From: "Franck Coppola" <franck@hosting42.com>
To: "Spybreak" <spybreak@host.sk>
Cc: bugtraq@securityfocus.com, vulnwatch@vulnwatch.org,
 brad@mrunix.net
Message-ID: <20020415225916.13076.qmail@ns364.ovh.net>

Here is a patch to fix the vulnerability (tested against
webalizer-2.01-06).

     Franck 

Spybreak writes: 

> Release  : April 15 2002
> Author   : Spybreak (spybreak@host.sk)
> Software : Webalizer
> Version  : 2.01-09, 2.01-06
> URL      : http://www.mrunix.net/webalizer/
> Status   : vendor contacted
> Problems : remote buffer overflow 
> 
>  
> 
> 
> --- INTRO --- 
> 
> The Webalizer is a web server log file analysis program
> which produces usage statistics in HTML format for
> viewing with a browser.  The results are presented in both
> columnar and  graphical format, which facilitates
> interpretation. 
> 
> Webalizer 2.01-06 is a part of the Red Hat Linux 7.2
> distribution, enabled by default and run daily by the cron
> daemon. 
> 
> 
> --- PROBLEM --- 
> 
> The webalizer has the ability to perform reverse DNS lookups.
> This ability is disabled by default, but if enabled, an
> attacker with command over his own DNS service, has the
> ability to gain remote root acces to a machine, due to a remote
> buffer overflow in the reverse resolving code. 
> 
> 
> Public key:
> http://spybreak.host.sk 
>
(8299221) /Franck Coppola <franck@hosting42.com>/(Ombruten)
Bilaga (application/octet-stream) i text 8299222
Kommentar i text 8304962 av Bradford L. Barrett <brad@mrunix.net>
8299222 2002-04-15 22:59 +0000  /16 rader/ Franck Coppola <franck@hosting42.com>
Bilagans filnamn: "patch.webalizer"
Importerad: 2002-04-17  08:47  av Brevbäraren
Extern mottagare: Spybreak <spybreak@host.sk>
Extern kopiemottagare: bugtraq@securityfocus.com
Extern kopiemottagare: vulnwatch@vulnwatch.org
Extern kopiemottagare: brad@mrunix.net
Mottagare: Bugtraq (import) <21885>
Bilaga (text/plain) till text 8299221
Ärende: Bilaga (patch.webalizer) till: Re: Remote buffer overflow in Webalizer
------------------------------------------------------------
patch.webalizerB¸à¸àmBIN‚¶*** dns_resolv.c.orig   Tue Apr 16 00:51:28 2002
--- dns_resolv.c        Tue Apr 16 00:53:19 2002
***************
*** 445,449 ****
                                     size,strlen(res_ent->h_name));
  
!                         strcpy(child_buf, res_ent->h_name);
                          size = strlen(child_buf);
                       }
--- 445,449 ----
                                     size,strlen(res_ent->h_name));
  
!                         strncpy(child_buf, res_ent->h_name, MAXHOST);
                          size = strlen(child_buf);
                       }

(8299222) /Franck Coppola <franck@hosting42.com>/---
8304962 2002-04-17 02:19 -0400  /31 rader/ Bradford L. Barrett <brad@mrunix.net>
Sänt av: joel@lysator.liu.se
Importerad: 2002-04-18  03:50  av Brevbäraren
Extern mottagare: Franck Coppola <franck@hosting42.com>
Extern kopiemottagare: Spybreak <spybreak@host.sk>
Extern kopiemottagare: bugtraq@securityfocus.com
Extern kopiemottagare: vulnwatch@vulnwatch.org
Mottagare: Bugtraq (import) <21917>
Kommentar till text 8299221 av Franck Coppola <franck@hosting42.com>
Ärende: Re: Remote buffer overflow in Webalizer
------------------------------------------------------------
From: "Bradford L. Barrett" <brad@mrunix.net>
To: Franck Coppola <franck@hosting42.com>
Cc: Spybreak <spybreak@host.sk>, <bugtraq@securityfocus.com>,
 <vulnwatch@vulnwatch.org>
Message-ID: <Pine.LNX.4.33.0204170211270.19908-100000@guru.mrunix.net>


> Here is a patch to fix the vulnerability (tested against webalizer-2.01-06).

Bad fix.. while it will prevent the buffer from overflowing (which I
still fail to see how can be used to execute a 'root' exploit, even
with a LOT of imagination), but will cause the buffer to be filled
with a non-null terminated string which will do all sorts of nasty
things to your output, not to mention wreak havoc on the stats since
you are cutting off the domain portion, not the hostname part, and
adding random garbage at the end.

Anyway, Version 2.01-10 has been released, which fixes this and a few
other buglets that have been discovered in the last month or so.  Get
it at the usual place (web: www.mrunix.net/webalizer/ or
www.webalizer.org or ftp: ftp.mrunix.net/pub/webalizer/), and should
be on the mirror sites soon.

--
Bradford L. Barrett                      brad@mrunix.net
A free electron in a sea of neutrons     DoD#1750 KD4NAW

The only thing Micro$oft has done for society, is make people
believe that computers are inherently unreliable.
(8304962) /Bradford L. Barrett <brad@mrunix.net>/(Ombruten)
8311096 2002-04-17 11:06 +0100  /29 rader/ Lars Hecking <lhecking@nmrc.ie>
Sänt av: joel@lysator.liu.se
Importerad: 2002-04-19  05:28  av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <21950>
Kommentar till text 8299221 av Franck Coppola <franck@hosting42.com>
Ärende: Re: Remote buffer overflow in Webalizer
------------------------------------------------------------
From: Lars Hecking <lhecking@nmrc.ie>
To: bugtraq@securityfocus.com
Message-ID: <20020417100658.GA19046@nmrc.ie>

Franck Coppola writes:
> Here is a patch to fix the vulnerability (tested against 
> webalizer-2.01-06). 
>     Franck 
 
 I assume the fact that the patch was in some mangled, binary-ish
 format was the reason why it slipped through to the list. It is
 quite obviously wrong (see man strncpy()).

|--- dns_resolv.c        Tue Apr 16 00:53:19 2002
|***************
|*** 445,449 ****
|                                     size,strlen(res_ent->h_name));
|  
|!                         strcpy(child_buf, res_ent->h_name);
|                          size = strlen(child_buf);
|                       }
|--- 445,449 ----
|                                     size,strlen(res_ent->h_name));
|  
|!                         strncpy(child_buf, res_ent->h_name, MAXHOST);
|                          size = strlen(child_buf);
|                       }
(8311096) /Lars Hecking <lhecking@nmrc.ie>/(Ombruten)