Vigil@nce: IP Filter, buffer overflow of ippool
June 2009 by Vigil@nce
When the ippool command of IP Filter is used, an attacker can
execute code on the computer.
Severity: 2/4
Consequences: user access/rights, denial of service of service
Provenance: internet server
Means of attack: no proof of concept, no attack
Ability of attacker: expert (4/4)
Confidence: confirmed by the editor (5/5)
Diffusion of the vulnerable configuration: low (1/3)
Creation date: 25/05/2009
IMPACTED PRODUCTS
– IP Filter
– NetBSD
DESCRIPTION OF THE VULNERABILITY
The ippool command of IP Filter uses a configuration file
containing IP addresses lists. This configuration file can be
loaded from a remote web server.
The load_http() function of the lib/load_http.c file downloads the
configuration file located on the remote server. In order to do
so, it creates an HTTP query like:
GET http://the_server/the_file HTTP/1.0
Host: the_server
The size of "http://the_server/the_file" cannot be longer than 512
bytes.
If the size of "the_server" is 504 bytes, the size of the previous
query is 1041 bytes. However, the buffer containing this query has
a size of 1024 bytes. An overflow thus occurs.
When the attacker can force the ippool command to use a long url,
he can therefore execute code on the computer.
CHARACTERISTICS
Identifiers: BID-35076, CVE-2009-1476, VIGILANCE-VUL-8735
http://vigilance.fr/vulnerability/IP-Filter-buffer-overflow-of-ippool-8735