Multiple Vendor mopd User Inputted Data Used as Format String Vulnerability
BID:1559
Info
Multiple Vendor mopd User Inputted Data Used as Format String Vulnerability
| Bugtraq ID: | 1559 |
| Class: | Input Validation Error |
| CVE: | |
| Remote: | Yes |
| Local: | No |
| Published: | Aug 08 2000 12:00AM |
| Updated: | Aug 08 2000 12:00AM |
| Credit: | This vulnerability was reported to the Bugtraq mailing list on August 8, 2000 by Matt Power <[email protected]> |
| Vulnerable: |
Redhat PowerTools 6.2 Redhat PowerTools 6.1 Redhat PowerTools 6.0 OpenBSD OpenBSD 2.7 OpenBSD OpenBSD 2.6 OpenBSD OpenBSD 2.5 OpenBSD OpenBSD 2.4 NetBSD NetBSD 1.4.2 x86 NetBSD NetBSD 1.4.2 SPARC NetBSD NetBSD 1.4.2 arm32 NetBSD NetBSD 1.4.2 Alpha NetBSD NetBSD 1.4.1 x86 NetBSD NetBSD 1.4.1 SPARC NetBSD NetBSD 1.4.1 arm32 NetBSD NetBSD 1.4.1 Alpha |
| Not Vulnerable: | |
Discussion
Multiple Vendor mopd User Inputted Data Used as Format String Vulnerability
A buffer overflow exists in the mopd daemon, shipped with a number of popular operating systems. By supplying a filename containing the proper format strings (% strings), it is possible for a remote attacker to overwrite values on the stack. It may be possible to use this capability to execute arbitrary code on the affected machine.
To check for a vulnerable version, it is possible to look in the mopProcessDL() function, in process.c. If the pfile[] buffer is declared to be 17 bytes, it is vulnerable.
A buffer overflow exists in the mopd daemon, shipped with a number of popular operating systems. By supplying a filename containing the proper format strings (% strings), it is possible for a remote attacker to overwrite values on the stack. It may be possible to use this capability to execute arbitrary code on the affected machine.
To check for a vulnerable version, it is possible to look in the mopProcessDL() function, in process.c. If the pfile[] buffer is declared to be 17 bytes, it is vulnerable.
Exploit / POC
Multiple Vendor mopd User Inputted Data Used as Format String Vulnerability
Currently the SecurityFocus staff are not aware of any exploits for this issue. If you feel we are in error or are aware of more recent inform
Currently the SecurityFocus staff are not aware of any exploits for this issue. If you feel we are in error or are aware of more recent inform
Solution / Fix
Multiple Vendor mopd User Inputted Data Used as Format String Vulnerability
NetBSD NetBSD 1.4.1 Alpha
NetBSD NetBSD 1.4.1 x86
NetBSD NetBSD 1.4.1 arm32
NetBSD NetBSD 1.4.1 SPARC
NetBSD NetBSD 1.4.2 x86
NetBSD NetBSD 1.4.2 arm32
NetBSD NetBSD 1.4.2 Alpha
NetBSD NetBSD 1.4.2 SPARC
OpenBSD OpenBSD 2.4
OpenBSD OpenBSD 2.6
OpenBSD OpenBSD 2.7
Redhat PowerTools 6.2
NetBSD NetBSD 1.4.1 Alpha
NetBSD NetBSD 1.4.1 x86
NetBSD NetBSD 1.4.1 arm32
NetBSD NetBSD 1.4.1 SPARC
NetBSD NetBSD 1.4.2 x86
NetBSD NetBSD 1.4.2 arm32
NetBSD NetBSD 1.4.2 Alpha
NetBSD NetBSD 1.4.2 SPARC
OpenBSD OpenBSD 2.4
-
OpenBSD 018_mopd.patch
ftp://ftp.openbsd.org/pub/OpenBSD/patches/2.7/common/018_mopd.patch
OpenBSD OpenBSD 2.6
-
OpenBSD 018_mopd.patch
ftp://ftp.openbsd.org/pub/OpenBSD/patches/2.7/common/018_mopd.patch
OpenBSD OpenBSD 2.7
-
OpenBSD 018_mopd.patch
ftp://ftp.openbsd.org/pub/OpenBSD/patches/2.7/common/018_mopd.patch
Redhat PowerTools 6.2
-
Red Hat Inc. 6.2 alpha mopd-linux-2.5.3-15.alpha.rpm
ftp://updates.redhat.com/powertools/6.2/alpha/mopd-linux-2.5.3-15.alph a.rpm -
Red Hat Inc. 6.2 i386 mopd-linux-2.5.3-15.i386.rpm
ftp://updates.redhat.com/powertools/6.2/i386/mopd-linux-2.5.3-15.i386. rpm -
Red Hat Inc. 6.2 sparc mopd-linux-2.5.3-15.sparc.rpm
ftp://updates.redhat.com/powertools/6.2/sparc/mopd-linux-2.5.3-15.spar c.rpm
References
Multiple Vendor mopd User Inputted Data Used as Format String Vulnerability
References:
References:
- NetBSD Security Page (NetBSD)
- OpenBSD Security Information (OpenBSD)