Tetrix缓冲区溢出漏洞

漏洞信息详情

Tetrix缓冲区溢出漏洞

• CNNVD编号：CNNVD-199902-032
• 危害等级： 中危
  
  
• CVE编号：
  CVE-1999-1060
  
• 漏洞类型：
  
  
  缓冲区溢出
  
• 发布时间：
  
  1999-02-17
  
• 威胁类型：
  
  
  远程
  
• 更新时间：
  
  2005-10-20
  
• 厂        商：
  
  tetrix
• 漏洞来源：
  First posted to Bu…

Tetrix TetriNet daemon 1.13.16版本存在缓冲区溢出漏洞。远程攻击者从一个带有长DNS主机名的主机连接到31457端口，导致服务拒绝并且可能执行任意命令。

The following patch should be applied to the tetrinet source:
———————————-snip snip——————————-
diff -ru tetrinetx-1.13.16.orig/src/main.c tetrinetx-1.13.16/src/main.c
— tetrinetx-1.13.16.orig/src/main.c Thu Dec 24 00:24:50 1998
+++ tetrinetx-1.13.16/src/main.c Sun Feb 14 16:22:45 1999
@@ -2561,7 +2562,7 @@
/* Someone has just connected. So lets answer them */
void net_telnet(struct net_t *n, char *buf)
{
– unsigned long ip; int k,l; char s[121]; char strg[121];
+ unsigned long ip; int k,l; char s[UHOSTLEN]; char strg[121];
char n1[4], n2[4], n3[4], n4[4];
struct channel_t *chan, *ochan;
struct net_t *net;
diff -ru tetrinetx-1.13.16.orig/src/main.h tetrinetx-1.13.16/src/main.h
— tetrinetx-1.13.16.orig/src/main.h Thu Dec 24 00:24:50 1998
+++ tetrinetx-1.13.16/src/main.h Sun Feb 14 16:19:06 1999
@@ -48,9 +48,8 @@
#define SERVERBUILD “16” /* What build we are at */
#define NICKLEN 30 /* Maximum length of Nickname */
#define VERLEN 10 /* Maximum length of Tetrinet version */
-#define UHOSTLEN 30 /* Maximum length of Hostname */
+#define UHOSTLEN 256 /* Maximum length of Hostname */
#define TEAMLEN NICKLEN /* Maximum length of teamname */
-/*#define MAXNET 80*/ /* Maximum network sockets */
#define MAXWINLIST 100 /* Maximum entries on Winlist */
#define TELNET_PORT 31457 /* Telnet port to listen on */
#define QUERY_PORT 31456 /* Query port to listen on */
diff -ru tetrinetx-1.13.16.orig/src/net.c tetrinetx-1.13.16/src/net.c
— tetrinetx-1.13.16.orig/src/net.c Thu Dec 24 00:24:50 1998
+++ tetrinetx-1.13.16/src/net.c Sun Feb 14 16:22:11 1999
@@ -250,15 +250,17 @@
unsigned long ip;
{
struct hostent *hp; unsigned long addr=ip;
– unsigned char *p; static char s[121];
-/* alarm(10);*/
+ unsigned char *p; static char s[UHOSTLEN];
+
hp=gethostbyaddr((char *)&addr,sizeof(addr),AF_INET); /*alarm(0);*/
if (hp==NULL) {
p=(unsigned char *)&addr;
sprintf(s,”%u.%u.%u.%u”,p[0],p[1],p[2],p[3]);
return s;
}
– strcpy(s,hp->h_name); return s;
+ strncpy(s,hp->h_name,(UHOSTLEN-1));
+ s[strlen(s)]=’\0′;
+ return s;
}
/* short routine to answer a connect received on a socket made previously
———————————-snip snip——————————-

来源: BID
名称: 340
链接:http://www.securityfocus.com/bid/340

来源: BUGTRAQ
名称: 19990217 Tetrix 1.13.16 is Vulnerable
链接:http://marc.theaimsgroup.com/?l=bugtraq&m=91937090211855&w=2