I was just visiting http://www.echelon.wiretapped.net and downloaded a
small file called "tcplog.c" with no author or version stated. It is for
logging connections to your box (linux only).
There are some minor coding gripes I could make, but line 107
takes a risk with the size of a hostname
98 char *hostlookup(unsigned long int in)
99 {
100 static char blah[1024];
101 struct in_addr i;
102 struct hostent *he;
103
104 i.s_addr=in;
105 he=gethostbyaddr((char *)&i, sizeof(struct in_addr),AF_INET);
106 if(he == NULL) strcpy(blah, inet_ntoa(i));
107 else strcpy(blah, he->h_name);
108 return blah;
109 }
Also I want to mention DeleGate-5.9.3 (at www.echelon.wiretapped.net and
elsewhere, in versions for Linux, AIX etc).
Luc Stepniewski <lstep_at_mail.dotcom.fr> drew attention to this in April 1999
for having very many string operations without bounds checking.
Although I made it dump core
#0 0x40058cf3 in ?? () from /lib/libc.so.6
(gdb) bt
#0 0x40058cf3 in ?? () from /lib/libc.so.6
#1 0x8103b80 in RES_matchLine (
what=0x41414141 <Address 0x41414141 out of bounds>, byname=1094795585,
name=0x41414141 <Address 0x41414141 out of bounds>,
line=0x41414141 <Address 0x41414141 out of bounds>, rv=0x41414141,
rb=0x41414141 <Address 0x41414141 out of bounds>,
cname=0x41414141 <Address 0x41414141 out of bounds>) at reshost.c:461
#2 0x41414141 in ?? ()
Cannot access memory at address 0x41414141.
when I came to convert this into an exploit I could not reproduce it. I told
Luc around April I was going to make a demo exploit but have never found the
Time. Will someone else take it on ? DeleGate has pretentions to being
A security product and ought to set an example or be made one.
Luc and I both contacted the author in/before April.
--
##############################################################
# Antonomasia ant_at_notatla.demon.co.uk #
# See http://www.notatla.demon.co.uk/ #
##############################################################
Received on Oct 09 1999
Intro
