COMMAND

	Sun rarpd remote and local format strings overflow

SYSTEMS AFFECTED

	??

PROBLEM

	David evlis reign of DER systems says :
	

	rarpd is a reverse arp protocol for small to medium sized  networks.  in
	the solaris implementation (in.rarpd)  there  seems  to  be  3  remotely
	exploitable buffer overflows, 2  locally  exploitable  and  2  cases  of
	format string exploitability.
	

	In the functions error and syserr (syserr also being used by other  in.*
	implmentations which are also exploitable, but not  the  topic  of  this
	advisory today) there contains 2  common  syslog  calls  without  format
	strings.
	

	static void

	syserr(s)

	char    *s;

	{

	        char buf[256];

	

	        (void) sprintf(buf, \"%s: %s\", s, strerror(errno));

	        (void) fprintf(stderr, \"%s:  %s\\n\", cmdname, buf);

	        syslog(LOG_ERR, buf);

	        exit(1);

	}

	

	/* VARARGS1 */

	static void

	error(char *fmt, ...)

	{

	        char buf[256];

	        va_list ap;

	

	        va_start(ap, fmt);

	        (void) vsprintf(buf, fmt, ap);

	        va_end(ap);

	        (void) fprintf(stderr, \"%s:  %s\\n\", cmdname, buf);

	        syslog(LOG_ERR, buf);

	        exit(1);

	}

	

	there are two vulnerable calls  which  could  be  exploited  locally  or
	remotely.
	

	

SOLUTION

	Not yet