snplog.bof.txt

`Date: Tue, 16 Feb 1999 00:42:49 +0000  
From: Rupert Weber-Henschel <[email protected]>  
To: [email protected]  
Subject: snplog-1.0 buffer overflow  
  
There is a possible buffer overflow in snplog-1.0. Or is it 0.1? The  
tar file is 0.1, the docs say 1.0. %)  
(snplog contains tcplogd, icmplogd, udplogd)  
  
The offending code is a sscanf() which parses the response of a remote  
identd.  
In rfc1413.c, around line 80:  
  
/* minimal parsing, we just want the username */  
sscanf(buf,  
"%*d , %*d : %*[^ \t\n\r:] : %*[^\t\n\r:] :  
%[^\n\r]",  
ret);  
  
where buf contains up to 512 bytes received from the identd, but ret has  
only 64 bytes.  
  
I don't know if this exploitable in terms of root compromise (ret is  
malloc'ed, not on the stack), but a quick test made me press the reset  
button...  
  
The obvious quick fix is to add a 63 after the last %:  
sscanf(buf,  
"%*d , %*d : %*[^ \t\n\r:] : %*[^\t\n\r:] :  
%63[^\n\r]",  
ret);  
  
While I still don't like the idea of having a biest like scanf in  
critical code at all...  
  
The homepage for snplog is:  
http://www.franken.de/users/gauss/snplog/  
  
  
The author has been notified, of course.  
  
  
Cheers,  
  
  
Rupert  
  
  
  
--  
Rupert Weber-Henschel  
E-Mail: [email protected]  
Fax: +49-89-34023886  
  
PGP Public Key: http://www.cip.physik.uni-muenchen.de/~weber  
  
`