News
Vigil@nce: IP Filter, buffer overflow of ippool
June 2009 by Vigil@nce
When the ippool command of IP Filter is used, an attacker can execute code on the computer.
Severity: 2/4
Consequences: user access/rights, denial of service of service
Provenance: internet server
Means of attack: no proof of concept, no attack
Ability of attacker: expert (4/4)
Confidence: confirmed by the editor (5/5)
Diffusion of the vulnerable configuration: low (1/3)
Creation date: 25/05/2009
IMPACTED PRODUCTS
IP Filter
NetBSD
DESCRIPTION OF THE VULNERABILITY
The ippool command of IP Filter uses a configuration file containing IP addresses lists. This configuration file can be loaded from a remote web server.
The load_http() function of the lib/load_http.c file downloads the configuration file located on the remote server. In order to do so, it creates an HTTP query like: GET http://the_server/the_file HTTP/1.0 Host: the_server The size of "http://the_server/the_file" cannot be longer than 512 bytes.
If the size of "the_server" is 504 bytes, the size of the previous query is 1041 bytes. However, the buffer containing this query has a size of 1024 bytes. An overflow thus occurs.
When the attacker can force the ippool command to use a long url, he can therefore execute code on the computer.
CHARACTERISTICS
Identifiers: BID-35076, CVE-2009-1476, VIGILANCE-VUL-8735
http://vigilance.fr/vulnerability/IP-Filter-buffer-overflow-of-ippool-8735
