Heap overflow in snmpnetstat

From: Juan M. de la Torre (jmtorre@axiomasistemas.com)
Date: Thu Jan 03 2002 - 16:11:24 CET

Previous message: secure@conectiva.com.br: "[CLA-2002:448] Conectiva Linux Security Announcement - libgtop"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

              ----------------------------
                Axioma Security Research
                    January 3, 2002
                    A D V I S O R Y
                 www.axiomasistemas.com
              ----------------------------

Platforms : All
: Tested on Red Hat Linux 7.1

Application : snmpnetstat from ucd-SNMP-4.2.3 (www.net-snmp.org)

Impact : Remote access to the snmpnetstat client machine

Overview
--------

snmpnetstat, a tool from ucd-snmp package, has a remotely exploitable
heap overflow when parsing the server replies. A possible patch and a
proof of concept exploit are attached.

Vendor status
-------------

Contacted

Details
-------

When snmpnetstat request the list of interfaces, it first allocs an
array to hold all the structs, one for each interface fetched. Then, it
sends a getnextrequest PDU to the server requesting ifindex, ifaddr and
ifnetmask, and saves this values in the first null entry of the array.
Then it sends another getnextrequest PDU requesting ifindex, and some
other variables. If the ifindex value returned by server is different
from the one previusly fetched, and the interface currently being scanned
is the last, the memory located after the array will be overwritten with
the variables returned by server, causing a heap overflow.

The research team of Axioma Sistemas has been able to exploit this flaw,
providing a default offset for redhat 7.1. See atached exploit.

Axioma Sistemas is unaware at this time if previous versions of snmpnetstat
are affected by the vulnerability described in this advisory, but probably
are.

Recommendations
---------------

Apply the patch attached or upgrade to the next release of Net-SNMP when
available

Credits
-------

Axioma Security Research would like to thank Juan M. de la Torre
(jmtorre@axiomasistemas.com) for discovering and researching this
vulnerability

-------------------
About Axioma Sistemas

Axioma is a leading security consultant for the Internet founded to help
corporations to improve their network security. With penetration tests and
a high level of security assessment, Axioma is able to give to comercial
banks, telecommunication companies and much more customers, the security
they need.

application/octet-stream attachment: snmp.diff

application/octet-stream attachment: snmpx.c

Previous message: secure@conectiva.com.br: "[CLA-2002:448] Conectiva Linux Security Announcement - libgtop"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.3 : Thu Jan 03 2002 - 21:30:53 CET