From jmtorre@axiomasistemas.com Thu Jan 3 17:35:10 2002 From: "Juan M. de la Torre" To: bugtraq@securityfocus.com Date: Thu, 03 Jan 2002 16:11:24 +0100 Subject: Heap overflow in snmpnetstat ---------------------------- Axioma Security Research January 3, 2002 A D V I S O R Y www.axiomasistemas.com ---------------------------- Platforms : All : Tested on Red Hat Linux 7.1 Application : snmpnetstat from ucd-SNMP-4.2.3 (www.net-snmp.org) Impact : Remote access to the snmpnetstat client machine Overview -------- snmpnetstat, a tool from ucd-snmp package, has a remotely exploitable heap overflow when parsing the server replies. A possible patch and a proof of concept exploit are attached. Vendor status ------------- Contacted Details ------- When snmpnetstat request the list of interfaces, it first allocs an array to hold all the structs, one for each interface fetched. Then, it sends a getnextrequest PDU to the server requesting ifindex, ifaddr and ifnetmask, and saves this values in the first null entry of the array. Then it sends another getnextrequest PDU requesting ifindex, and some other variables. If the ifindex value returned by server is different from the one previusly fetched, and the interface currently being scanned is the last, the memory located after the array will be overwritten with the variables returned by server, causing a heap overflow. The research team of Axioma Sistemas has been able to exploit this flaw, providing a default offset for redhat 7.1. See atached exploit. Axioma Sistemas is unaware at this time if previous versions of snmpnetstat are affected by the vulnerability described in this advisory, but probably are. Recommendations --------------- Apply the patch attached or upgrade to the next release of Net-SNMP when available Credits ------- Axioma Security Research would like to thank Juan M. de la Torre (jmtorre@axiomasistemas.com) for discovering and researching this vulnerability ------------------- About Axioma Sistemas Axioma is a leading security consultant for the Internet founded to help corporations to improve their network security. With penetration tests and a high level of security assessment, Axioma is able to give to comercial banks, telecommunication companies and much more customers, the security they need. [Part 2, Application/OCTET-STREAM (Name: "snmp.diff") 740bytes] [Unable to print this part] [Part 3, Application/OCTET-STREAM (Name: "snmpx.c") 27KB] [Unable to print this part]