Whoisd buffer overrun
Dear colleagues, It was brought to our attention last night that the perl whoisd server the RIPE NCC is currently running is vulnerable to a buffer overflow attack. We have taken action immediately and fixed this problem on our production servers. We have also checked for traces of people taking advantage of the vulnerability and concluded that this was not the case. The whois service was not affected. Should you be running a copy of our software, please apply the patch attached below to bin/whoisd. It truncates the query to 255 characters. If you have any questions or comments, please contact <ripe-dbm@ripe.net>. We would like to thank Geert Jan de Groot and Steve Bellovin for bringing this to our attention. Kind Regards, Mirjam Kuehne Head External Services RIPE NCC -------------------- 1. save the following text as /tmp/whoisdpatch ----------cut here------------------------------ *** whoisd.trunc Wed Feb 2 22:28:34 2000 --- whoisd Wed Feb 2 22:29:46 2000 *************** *** 1679,1694 **** $query=join(" ", @ARGV); } else { - my($trunclen); - alarm $KEEPOPEN if (!$commandline); $query=<$input>; - - # truncate to 255 chars - $trunclen = length($query); - $trunclen = 255 if $trunclen > 255; - substr( $query, $trunclen ) = ""; - } # &dpr("query: -$query- errorcode: -$!-\n"); --- 1679,1686 ---- ----------cut here-------------------------------- 2. execute in the directory where your whoisd lives: $ patch < /tmp/whoisdpatch
On Thu, 3 Feb 2000, RIPE Database Administration wrote:
It was brought to our attention last night that the perl whoisd server the RIPE NCC is currently running is vulnerable to a buffer overflow
1. save the following text as /tmp/whoisdpatch
----------cut here------------------------------ *** whoisd.trunc Wed Feb 2 22:28:34 2000 --- whoisd Wed Feb 2 22:29:46 2000
[skip]
2. execute in the directory where your whoisd lives: $ patch < /tmp/whoisdpatch
I suppose everyone should pay attention that patch mentioned is _reverse_ (i.e. old and new file had been swapped) Sincerely, D.Marck --------------------------------------------------------------------- *** Dmitry Morozovsky --- D.Marck --- Wild Woozle --- marck@ti.ru *** ---------------------------------------------------------------------
Perhaps you should note that the patch has to be applied REVERSE. You can state this in the patch call like this: $ patch -R < /tmp/whoisdpatch You can see this if you examine the diff. No big problem, because without -R patch should detect this case and should ask if the patch should be applied reverse, though. But I haven't checked myself because I do not have a copy of whoisd running. Anyway, I thank you for your quick warning. -Tino RIPE Database Administration schrieb:
Dear colleagues,
It was brought to our attention last night that the perl whoisd server the RIPE NCC is currently running is vulnerable to a buffer overflow attack.
We have taken action immediately and fixed this problem on our production servers. We have also checked for traces of people taking advantage of the vulnerability and concluded that this was not the case.
The whois service was not affected.
Should you be running a copy of our software, please apply the patch attached below to bin/whoisd. It truncates the query to 255 characters.
If you have any questions or comments, please contact <ripe-dbm@ripe.net>.
We would like to thank Geert Jan de Groot and Steve Bellovin for bringing this to our attention.
Kind Regards,
Mirjam Kuehne Head External Services RIPE NCC --------------------
1. save the following text as /tmp/whoisdpatch
----------cut here------------------------------ *** whoisd.trunc Wed Feb 2 22:28:34 2000 --- whoisd Wed Feb 2 22:29:46 2000 *************** *** 1679,1694 **** $query=join(" ", @ARGV); } else { - my($trunclen); - alarm $KEEPOPEN if (!$commandline); $query=<$input>; - - # truncate to 255 chars - $trunclen = length($query); - $trunclen = 255 if $trunclen > 255; - substr( $query, $trunclen ) = ""; - }
# &dpr("query: -$query- errorcode: -$!-\n"); --- 1679,1686 ---- ----------cut here--------------------------------
2. execute in the directory where your whoisd lives: $ patch < /tmp/whoisdpatch
-- Valentin `Tino' Hilbig mailto:tino@kiosk-online.de NOC Online-Kiosk GmbH http://www.noc.baycix.de/ Tel. +49-180-5654357 privat: http://geht.net/ Fax. +49-871-9253629 privat: nospam@geht.net
participants (3)
-
Dmitry Morozovsky -
RIPE Database Administration -
Valentin Hilbig