Hi!
IIRC, there was a small discussion about DeleGate in the past (some
weeks ago, I think). Therefore I decided to forward you this post from
BugTraq.
best regards,
Rainer Link
-------- Original Message --------
Subject: Re: application proxies?
Date: Thu, 10 Feb 2000 00:59:49 -0500
From: Omachonu Ogali
Reply-To: Omachonu Ogali
To: BUGTRAQ@securityfocus.com
DO NOT USE DELEGATE.
Here are some of my findings with delegate, and I'm still not done yet.
-- snip --
Delegate Problems
=================
Start of access.c:
* Line 41 defines a fixed-length variable (authority - 1024 bytes).
- scan_AUTH() does no bound checking and blindly uses strcat() to
append
to the variable.
* Line 57 defines a fixed-length variable (xauth - 1024 bytes).
- findAuth() does no bounds checking and blindly passes all three
variables to sprintf().
* Line 66 calls sprintf() again to output into a fixed-length variable
(xauth - 1024 bytes).
* Line 74 defines a fixed-length variable (userhost - 256 bytes).
- auth_manager() does no bound checking and blindly passes two
variables
to sprintf() with no bounds checking.
* Line 87 defines a fixed-length variable (auth - 256 bytes).
- auth_anonftp() does no bounds checking and blindly passes the
anonymous FTP password to sprintf().
* Line 116 defines a fixed-length variable (hostb - 256 bytes).
- NotifyPlatform() calls getClientHostPort() which calls
getClientHostPortAddr() blindly copies (strcpy) the address passed
from NotifyPlatform into a 32-byte buffer defined in the
'Connection'
structure.
* Line 145 defines a fixed-length variable (myuri - 256 bytes).
- clientIF_HP() calls _clientIF() which blindly outputs (sprintf) the
host and port information into the variable 'myuri' after receiving
its data from 'myhp'.
* Line 145 defines a fixed-length variable (client - 256 bytes).
- makeForwarded() calls getClientHostPort() which calls
getClientHostPortAddr() which blindly copies (strcpy) the address
passed from NotifyPlatform into a 32-byte buffer defined in the
'Connection' structure.
* Line 146 defines a fixed-length variable (myhp - 256 bytes).
- clientIF_HP() calls _clientIF() which returns data that is not
bound-checked into the variable 'myhp' for latter consumption by
sprintf().
* Line 168 defines a fixed-length variable (atype - 128 bytes).
- makeAuthorization() calls sscanf() to retrieve arguments and cannot
bound check the data resulting in a buffer overrun.
* Line 168 defines a fixed-length variable (afmt - 128 bytes).
- makeAuthorization() calls sscanf() to retrieve arguments and cannot
bound check the data resulting in a buffer overrun.
* Line 169 defines a fixed-length variable (gauth - 256 bytes).
- makeAuthorization() calls strfConn() to return the protocol desired
into 'gauth', and two more strings are appended (strcat) without
bounds checking.
* Line 169 defines a fixed-length variable (eauth - 256 bytes).
- makeAuthorization() calls str_to64() specifying the size as eauth as
512 bytes instead of 256 bytes.
* Line 215 defines a fixed-length variable (host - 256 bytes).
- makeClientLog() does not perform bound checking on the results
returned by strfConn() allowing for a buffer overrun.
* Line 215 defines a fixed-length variable (iuser - 256 bytes).
- makeClientLog() does not perform bound checking on the results
returned by strfConn() allowing for a buffer overrun.
* Line 215 defines a fixed-length variable (auser - 256 bytes).
- makeClientLog() does not perform bound checking on the results
returned by strfConn() allowing for a buffer overrun.
* Line 320 uses strcpy() blindly.
- No bounds checking is performed before copying 'clhost' into
Client_Addr
which is the 32-byte fixed-length variable 'cl_Addr' in the
structure
Connection defined in delegate.h.
* Line 321 uses strcpy() blindly.
- No bounds checking is performed before copying 'clhost' into
Client_Addr
which is the 128-byte fixed-length variable 'cl_Host' in the
structure
Connection defined in delegate.h.
* Line 429 defines a fixed-length variable (buf - 1024 bytes).
- scanIdent() does not perform bounds checking on the variable passed
and blindly copies it (strcpy) into 'buf'. Allows an attacker to
create their own identd trojan/daemon and pass arbitrary code.
* Line 449 defines a fixed-length variable (addrhostport - 256 bytes).
- getClientHostPortAddr() does not perform bounds checking on the
results returned from getpeerName(). Allows an attacker to create
their own fake DNS reply and pass arbitrary code.
* Line 449 defines a fixed-length variable (addr - 256 bytes).
- Suffers from insufficient bounds checking on the result returned by
getpeerName() and receives data from sscanf().
* Line 449 defines a fixed-length variable (host - 256 bytes).
- Suffers from insufficient bounds checking on the result returned by
getpeerName() and receives data from sscanf().
* Line 456 uses strcpy() blindly.
- No bounds checking is performed before copying 'addr' into
Client_Addr
which is the 32-byte fixed-length variable 'cl_Addr' in the
structure
Connection defined in delegate.h.
* Line 457 uses strcpy() blindly.
- No bounds checking is performed before copying 'host' into
Client_Addr
which is the 128-byte fixed-length variable 'cl_Host' in the
structure
Connection defined in delegate.h.
* Line 528 defines a fixed-length variable (host - 1024 bytes).
- No bounds checking is performed on 'hostport' before its blindly
passed into 'host' by sscanf().
* Line 549 defines a fixed-length variable (user - 128 bytes).
- A fixed-length variable is passed to getClientUser0() and it suffers
from insufficient bounds checking noted on line 429.
* Line 584 defines a fixed-length variable (host - 256 bytes).
-- snip --
On Wed, 9 Feb 2000, Zahemszky Gabor wrote:
Hello,
I'm preparing an article on FreeBSD firewall tools. So far I plan to
cover ipfw & natd, ipfilter & ipnat, fwtk, kern.securelevel, and
mention snort and nessus as a sideline.
I'd like to present as many applications as possible. The major lack
I see is a choice of application-level proxies such as fwtk. Are there
some I'm not aware of?
If I remember well, delegate is another proxy (but somebody pointed out,
that there are so many unsafe - strcpy/etc - functions in it).
ZGabor at CoDe dot HU
--
#!/bin/ksh
Z='21N16I25C25E30, 40M30E33E25T15U!' ;IFS=' ABCDEFGHIJKLMNOPQRSTUVWXYZ ';set $Z ;for i { [[ $i = ? ]]&&print $i&&break;[[ $i = ??? ]]&&j=$i&&i=${i%?};typeset -i40 i=8#$i;print -n ${i#???};[[ "$j" = ??? ]]&&print -n "${j#??} "&&j=;typeset +i i;};IFS=' 0123456789 ';set $Z;X=;for i { [[ $i = , ]]&&i=2;[[ $i = ?? ]]||typeset -l i;X="$X $i";typeset +l i;};print "$X"
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Omachonu Ogali
Intranova Networking Group
