|
Vulnerability mopd Affected OpenBSD 2.7, NetBSD 1.4.2, FreeBSD Description Matt Power found following. The mopd (Maintenance Operations Protocol loader daemon) implementation in OpenBSD 2.7 and NetBSD 1.4.2 includes a step in which the daemon receives a file name from a client elsewhere on the network. Matt found one point at which the client can overflow a buffer in the server by sending a long file name. Also, he found two points at which the server uses the client-supplied file name directly as part of a format string in a syslog(3) function call (this is potentially problematic if the file name contains any % characters). Matt reported these issues to the OpenBSD and NetBSD security contact addresses at 00:04 UTC on 29 June 2000. He received a reply from the OpenBSD project at 00:15 UTC on 29 June, and a reply from the NetBSD Project at 03:05 UTC on 29 June. There are other versions of mopd that you might possibly be using. Download locations include ftp://ftp.redhat.com/pub/redhat/powertools/6.2/i386/SRPMS/mopd-linux-2.5.3-4.src.rpm ftp://ftp.stacken.kth.se/pub/OS/NetBSD/mopd/mopd-linux-2.5.3.tar.gz ftp://linux-vax.sourceforge.net/pub/linux-vax/tools/misc/mopd-linux.tar.gz Matt suspects that currently all of these are vulnerable versions. To check for the buffer-overflow problem yourself, look at the function mopProcessDL in the file process.c. Older versions of the code declare a 17-character buffer named pfile, and rely directly on a value of tmpc (an unsigned char value obtained over the network from the client) to determine how much data to write into this buffer, regardless of whether the buffer is smaller than tmpc. To check for the syslog problem, look for "syslog(LOG_INFO, line);". Solution An OpenBSD 2.7 security advisory was issued on 5 July - see http://www.openbsd.org/security.html#27 http://www.openbsd.org/errata.html#mopd Patches for NetBSD have also been written -- you may wish to look at http://cvsweb.netbsd.org/bsdweb.cgi/basesrc/usr.sbin/mopd/mopd/process.c For FreBSD, deinstall the old package and install a new package dated after the correction date, obtained from: ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-3-stable/net/mopd-1.2b.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/net/mopd-1.2b.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-4-stable/net/mopd-1.2b.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/net/mopd-1.2b.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-5-current/net/mopd-1.2b.tgz For RedHat: ftp://updates.redhat.com/powertools/6.2/sparc/mopd-linux-2.5.3-15.sparc.rpm ftp://updates.redhat.com/powertools/6.2/alpha/mopd-linux-2.5.3-15.alpha.rpm ftp://updates.redhat.com/powertools/6.2/i386/mopd-linux-2.5.3-15.i386.rpm ftp://updates.redhat.com/powertools/6.2/SRPMS/mopd-linux-2.5.3-15.src.rpm Conectiva Linux does not ship mopd.