Share your story
The central voice for Linux and Open Source security news
Home News Topics Advisories HOWTOs Features Newsletters About Register

Sign up!
EnGarde Community
What is the most important Linux security technology?
Linux Events
Linux User Groups
Link to Us
Security Center
Book Reviews
Security Dictionary
Security Tips
White Papers
Featured Blogs
All About Linux
DanWalsh LiveJournal
Latest Newsletters
Linux Advisory Watch: March 27th, 2015
Linux Security Week: March 23rd, 2015
LinuxSecurity Newsletters
Choose Lists:
About our Newsletters
RSS Feeds
Get the LinuxSecurity news you want faster with RSS
Powered By

OpenBSD/NetBSD: mopd buffer overflow Print E-mail
User Rating:      How can I rate this item?
Posted by Team   
OpenBSD Buffer overflow exists in the Maintenance Operations Protocol loader daemon
---------- Forwarded message ----------
Date: Tue, 8 Aug 2000 03:48:04 -0400
From: Matt Power <mhpower@MIT.EDU>
Subject: OpenBSD 2.7 / NetBSD 1.4.2 mopd buffer overflow

The mopd (Maintenance Operations Protocol loader daemon)
implementation in OpenBSD 2.7 and NetBSD 1.4.2 includes a step in
which the daemon receives a file name from a client elsewhere on the
network. I found one point at which the client can overflow a
buffer in the server by sending a long file name. Also, I found two
points at which the server uses the client-supplied file name directly
as part of a format string in a syslog(3) function call (this is
potentially problematic if the file name contains any % characters).

I reported these issues to the OpenBSD and NetBSD security contact
addresses at 00:04 UTC on 29 June 2000. I received a reply from the
OpenBSD project at 00:15 UTC on 29 June, and a reply from the NetBSD
Project at 03:05 UTC on 29 June.

An OpenBSD 2.7 security advisory was issued on 5 July -- see and its link to (which references a patch for
OpenBSD 2.7). Patches for NetBSD have also been written -- you may
wish to look at

There are other versions of mopd that you might possibly be using.
Download locations include

   ftp://ftp.Red Hat/powertools/6.2/i386/SRPMS/mopd-linux-2.5.3-4.src.rpm

I suspect that currently all of these are vulnerable versions. To
check for the buffer-overflow problem yourself, look at the function
mopProcessDL in the file process.c. Older versions of the code declare
a 17-character buffer named pfile, and rely directly on a value of
tmpc (an unsigned char value obtained over the network from the
client) to determine how much data to write into this buffer,
regardless of whether the buffer is smaller than tmpc. To check for
the syslog problem, look for "syslog(LOG_INFO, line);".

I think OpenBSD and NetBSD are the only cases in which mopd is
installed by default in any common operating-system distribution.
There's no direct risk in having mopd installed; the potential risk
occurs only if a vulnerable version of mopd is running (mopd can be
one of the daemons started at boot time, or it could be started later
by root; it is not run from inetd). The risk may also commonly be
further limited by the inability of any machines outside of the local
Ethernet to get packets to the mopd. Finally, mopd would typically not
be running except on machines that act as a netboot server for certain
other pieces of hardware on a local network (e.g., some types of DEC
hardware, possibly also some types of Cisco hardware).

Matt Power
< Prev   Next >


Latest Features
Peter Smith Releases Linux Network Security Online
Securing a Linux Web Server
Password guessing with Medusa 2.0
Password guessing as an attack vector
Squid and Digest Authentication
Squid and Basic Authentication
Demystifying the Chinese Hacking Industry: Earning 6 Million a Night
Free Online security course (LearnSIA) - A Call for Help
What You Need to Know About Linux Rootkits
Review: A Practical Guide to Fedora and Red Hat Enterprise Linux - Fifth Edition
Yesterday's Edition
FBI Quietly Removes Recommendation To Encrypt Your Phone
And the prize for LEAST SECURE BROWSER goes to ... Chrome!
Partner Sponsor

Community | HOWTOs | Blogs | Features | Book Reviews | Networking
 Security Projects |  Latest News |  Newsletters |  SELinux |  Privacy |  Home
 Hardening |   About Us |   Advertise |   Legal Notice |   RSS |   Guardian Digital
(c)Copyright 2015 Guardian Digital, Inc. All rights reserved.