Home page logo

fulldisclosure logo Full Disclosure mailing list archives

ez-ipupdate format string bug
From: Ulf Härnhammar <Ulf.Harnhammar.9485 () student uu se>
Date: Thu, 11 Nov 2004 14:59:31 +0100

* ez-ipupdate format string bug *

"ez-ipupdate is a quite complete client for the dynamic DNS service offered
by http://www.ez-ip.net/ and many more. Currently supported are: ez-ip
[..] , Penguinpowered [..] , DHS [..] , dynDNS [..] , ODS [..] , TZO [..] ,
EasyDNS [..] , Justlinux [..] , Dyns [..] , HN [..] , ZoneEdit [..] and
Hurricane Electric's IPv6 Tunnel Broker [..]. All services using GNUDip are
also supported."

(from packages.debian.org)

I have found a format string bug in ez-ipupdate. It affects at least the
versions 3.0.11b8, 3.0.11b7, 3.0.11b6, 3.0.11b5 and 3.0.10. It doesn't affect
2.9.6. The vulnerability has the identifier CAN-2004-0980.

The format string bug allows a malicious remote server to execute arbitrary
code on the machine running ez-ipupdate, if and only if daemon mode is on
(very common) and certain service types are used. I have attached a trivial
patch (against 3.0.11b8) that corrects this problem.

It proved to be impossible to contact upstream, as all his e-mail addresses
bounced. The Linux and *BSD vendors that distribute ez-ipupdate have been
contacted, but so far only Mandrakelinux and SUSE Linux have published
patched versions.

// Ulf Harnhammar                  http://www.advogato.org/person/metaur/
   for the
   Debian Security Audit Project   http://www.debian.org/security/audit/

Attachment: ez-ipupdate.formstring.patch

  By Date           By Thread  

Current thread:
  • ez-ipupdate format string bug Ulf Härnhammar (Nov 11)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]