LinuxSecurity.com
Share your story
The central voice for Linux and Open Source security news
Home News Topics Advisories HOWTOs Features Newsletters About Register

Welcome!
Sign up!
EnGarde Community
Login
Polls
What is the most important Linux security technology?
 
Advisories
Community
Linux Events
Linux User Groups
Link to Us
Security Center
Book Reviews
Security Dictionary
Security Tips
SELinux
White Papers
Featured Blogs
All About Linux
DanWalsh LiveJournal
Securitydistro
Latest Newsletters
Linux Security Week: October 20th, 2014
Linux Advisory Watch: October 17th, 2014
Subscribe
LinuxSecurity Newsletters
E-mail:
Choose Lists:
About our Newsletters
RSS Feeds
Get the LinuxSecurity news you want faster with RSS
Powered By

  
OpenBSD/NetBSD: mopd buffer overflow Print E-mail
User Rating:      How can I rate this item?
Posted by LinuxSecurity.com Team   
OpenBSD Buffer overflow exists in the Maintenance Operations Protocol loader daemon
---------- Forwarded message ----------
Date: Tue, 8 Aug 2000 03:48:04 -0400
From: Matt Power <mhpower@MIT.EDU>
To: BUGTRAQ@SECURITYFOCUS.COM
Subject: OpenBSD 2.7 / NetBSD 1.4.2 mopd buffer overflow

The mopd (Maintenance Operations Protocol loader daemon)
implementation in OpenBSD 2.7 and NetBSD 1.4.2 includes a step in
which the daemon receives a file name from a client elsewhere on the
network. I found one point at which the client can overflow a
buffer in the server by sending a long file name. Also, I found two
points at which the server uses the client-supplied file name directly
as part of a format string in a syslog(3) function call (this is
potentially problematic if the file name contains any % characters).

I reported these issues to the OpenBSD and NetBSD security contact
addresses at 00:04 UTC on 29 June 2000. I received a reply from the
OpenBSD project at 00:15 UTC on 29 June, and a reply from the NetBSD
Project at 03:05 UTC on 29 June.

An OpenBSD 2.7 security advisory was issued on 5 July -- see 
http://www.openbsd.org/security.html#27 and its link to 
http://www.openbsd.org/errata.html#mopd (which references a patch for
OpenBSD 2.7). Patches for NetBSD have also been written -- you may
wish to look at 
http://cvsweb.netbsd.org/bsdweb.cgi/basesrc/usr.sbin/mopd/mopd/process.c

There are other versions of mopd that you might possibly be using.
Download locations include

   ftp://ftp.Red Hat.com/pub/Red Hat/powertools/6.2/i386/SRPMS/mopd-linux-2.5.3-4.src.rpm
   ftp://ftp.stacken.kth.se/pub/OS/NetBSD/mopd/mopd-linux-2.5.3.tar.gz
   ftp://linux-vax.sourceforge.net/pub/linux-vax/tools/misc/mopd-linux.tar.gz

I suspect that currently all of these are vulnerable versions. To
check for the buffer-overflow problem yourself, look at the function
mopProcessDL in the file process.c. Older versions of the code declare
a 17-character buffer named pfile, and rely directly on a value of
tmpc (an unsigned char value obtained over the network from the
client) to determine how much data to write into this buffer,
regardless of whether the buffer is smaller than tmpc. To check for
the syslog problem, look for "syslog(LOG_INFO, line);".

I think OpenBSD and NetBSD are the only cases in which mopd is
installed by default in any common operating-system distribution.
There's no direct risk in having mopd installed; the potential risk
occurs only if a vulnerable version of mopd is running (mopd can be
one of the daemons started at boot time, or it could be started later
by root; it is not run from inetd). The risk may also commonly be
further limited by the inability of any machines outside of the local
Ethernet to get packets to the mopd. Finally, mopd would typically not
be running except on machines that act as a netboot server for certain
other pieces of hardware on a local network (e.g., some types of DEC
hardware, possibly also some types of Cisco hardware).

Matt Power
mhpower@mit.edu
 
< Prev   Next >
    
Partner

 

Latest Features
Peter Smith Releases Linux Network Security Online
Securing a Linux Web Server
Password guessing with Medusa 2.0
Password guessing as an attack vector
Squid and Digest Authentication
Squid and Basic Authentication
Demystifying the Chinese Hacking Industry: Earning 6 Million a Night
Free Online security course (LearnSIA) - A Call for Help
What You Need to Know About Linux Rootkits
Review: A Practical Guide to Fedora and Red Hat Enterprise Linux - Fifth Edition
Yesterday's Edition
Pro-Privacy Senator Wyden on Fighting the NSA From Inside the System
NIST to hypervisor admins: secure your systems
Quick PHP patch beats slow research reveal
Partner Sponsor

Community | HOWTOs | Blogs | Features | Book Reviews | Networking
 Security Projects |  Latest News |  Newsletters |  SELinux |  Privacy |  Home
 Hardening |   About Us |   Advertise |   Legal Notice |   RSS |   Guardian Digital
(c)Copyright 2014 Guardian Digital, Inc. All rights reserved.