Hi! IIRC, there was a small discussion about DeleGate in the past (some weeks ago, I think). Therefore I decided to forward you this post from BugTraq. best regards, Rainer Link -------- Original Message -------- Subject: Re: application proxies? Date: Thu, 10 Feb 2000 00:59:49 -0500 From: Omachonu Ogali <oogali@intranova.net> Reply-To: Omachonu Ogali <oogali@intranova.net> To: BUGTRAQ@securityfocus.com DO NOT USE DELEGATE. Here are some of my findings with delegate, and I'm still not done yet. -- snip -- Delegate Problems ================= Start of access.c: * Line 41 defines a fixed-length variable (authority - 1024 bytes). - scan_AUTH() does no bound checking and blindly uses strcat() to append to the variable. * Line 57 defines a fixed-length variable (xauth - 1024 bytes). - findAuth() does no bounds checking and blindly passes all three variables to sprintf(). * Line 66 calls sprintf() again to output into a fixed-length variable (xauth - 1024 bytes). * Line 74 defines a fixed-length variable (userhost - 256 bytes). - auth_manager() does no bound checking and blindly passes two variables to sprintf() with no bounds checking. * Line 87 defines a fixed-length variable (auth - 256 bytes). - auth_anonftp() does no bounds checking and blindly passes the anonymous FTP password to sprintf(). * Line 116 defines a fixed-length variable (hostb - 256 bytes). - NotifyPlatform() calls getClientHostPort() which calls getClientHostPortAddr() blindly copies (strcpy) the address passed from NotifyPlatform into a 32-byte buffer defined in the 'Connection' structure. * Line 145 defines a fixed-length variable (myuri - 256 bytes). - clientIF_HP() calls _clientIF() which blindly outputs (sprintf) the host and port information into the variable 'myuri' after receiving its data from 'myhp'. * Line 145 defines a fixed-length variable (client - 256 bytes). - makeForwarded() calls getClientHostPort() which calls getClientHostPortAddr() which blindly copies (strcpy) the address passed from NotifyPlatform into a 32-byte buffer defined in the 'Connection' structure. * Line 146 defines a fixed-length variable (myhp - 256 bytes). - clientIF_HP() calls _clientIF() which returns data that is not bound-checked into the variable 'myhp' for latter consumption by sprintf(). * Line 168 defines a fixed-length variable (atype - 128 bytes). - makeAuthorization() calls sscanf() to retrieve arguments and cannot bound check the data resulting in a buffer overrun. * Line 168 defines a fixed-length variable (afmt - 128 bytes). - makeAuthorization() calls sscanf() to retrieve arguments and cannot bound check the data resulting in a buffer overrun. * Line 169 defines a fixed-length variable (gauth - 256 bytes). - makeAuthorization() calls strfConn() to return the protocol desired into 'gauth', and two more strings are appended (strcat) without bounds checking. * Line 169 defines a fixed-length variable (eauth - 256 bytes). - makeAuthorization() calls str_to64() specifying the size as eauth as 512 bytes instead of 256 bytes. * Line 215 defines a fixed-length variable (host - 256 bytes). - makeClientLog() does not perform bound checking on the results returned by strfConn() allowing for a buffer overrun. * Line 215 defines a fixed-length variable (iuser - 256 bytes). - makeClientLog() does not perform bound checking on the results returned by strfConn() allowing for a buffer overrun. * Line 215 defines a fixed-length variable (auser - 256 bytes). - makeClientLog() does not perform bound checking on the results returned by strfConn() allowing for a buffer overrun. * Line 320 uses strcpy() blindly. - No bounds checking is performed before copying 'clhost' into Client_Addr which is the 32-byte fixed-length variable 'cl_Addr' in the structure Connection defined in delegate.h. * Line 321 uses strcpy() blindly. - No bounds checking is performed before copying 'clhost' into Client_Addr which is the 128-byte fixed-length variable 'cl_Host' in the structure Connection defined in delegate.h. * Line 429 defines a fixed-length variable (buf - 1024 bytes). - scanIdent() does not perform bounds checking on the variable passed and blindly copies it (strcpy) into 'buf'. Allows an attacker to create their own identd trojan/daemon and pass arbitrary code. * Line 449 defines a fixed-length variable (addrhostport - 256 bytes). - getClientHostPortAddr() does not perform bounds checking on the results returned from getpeerName(). Allows an attacker to create their own fake DNS reply and pass arbitrary code. * Line 449 defines a fixed-length variable (addr - 256 bytes). - Suffers from insufficient bounds checking on the result returned by getpeerName() and receives data from sscanf(). * Line 449 defines a fixed-length variable (host - 256 bytes). - Suffers from insufficient bounds checking on the result returned by getpeerName() and receives data from sscanf(). * Line 456 uses strcpy() blindly. - No bounds checking is performed before copying 'addr' into Client_Addr which is the 32-byte fixed-length variable 'cl_Addr' in the structure Connection defined in delegate.h. * Line 457 uses strcpy() blindly. - No bounds checking is performed before copying 'host' into Client_Addr which is the 128-byte fixed-length variable 'cl_Host' in the structure Connection defined in delegate.h. * Line 528 defines a fixed-length variable (host - 1024 bytes). - No bounds checking is performed on 'hostport' before its blindly passed into 'host' by sscanf(). * Line 549 defines a fixed-length variable (user - 128 bytes). - A fixed-length variable is passed to getClientUser0() and it suffers from insufficient bounds checking noted on line 429. * Line 584 defines a fixed-length variable (host - 256 bytes). -- snip -- On Wed, 9 Feb 2000, Zahemszky Gabor wrote:

...

Hello,

I'm preparing an article on FreeBSD firewall tools. So far I plan to cover ipfw & natd, ipfilter & ipnat, fwtk, kern.securelevel, and mention snort and nessus as a sideline.

I'd like to present as many applications as possible. The major lack I see is a choice of application-level proxies such as fwtk. Are there some I'm not aware of?

If I remember well, delegate is another proxy (but somebody pointed out, that there are so many unsafe - strcpy/etc - functions in it).

ZGabor at CoDe dot HU

-- #!/bin/ksh Z='21N16I25C25E30, 40M30E33E25T15U!' ;IFS=' ABCDEFGHIJKLMNOPQRSTUVWXYZ ';set $Z ;for i { [[ $i = ? ]]&&print $i&&break;[[ $i = ??? ]]&&j=$i&&i=${i%?};typeset -i40 i=8#$i;print -n ${i#???};[[ "$j" = ??? ]]&&print -n "${j#??} "&&j=;typeset +i i;};IFS=' 0123456789 ';set $Z;X=;for i { [[ $i = , ]]&&i=2;[[ $i = ?? ]]||typeset -l i;X="$X $i";typeset +l i;};print "$X"

To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message

Omachonu Ogali Intranova Networking Group