COMMAND

	Rwhoisd format string buffer overflow

SYSTEMS AFFECTED

	Rwhoisd 1.5 to 1.5.7.2

PROBLEM

	In     alert7     of      NetGuard      Security      Team      advisory
	[http://www.netguard.com.cn/] :
	

	Rwhoisd is a publicly available RWHOIS  server  daemon  for  Unix  based
	systems developed and maintained by Network Solutions Inc.
	

	Rwhoisd   contains   another   remotely   exploitable   format    string
	vulnerability. It is possible to overwrite memory  by  syslog()  if  set
	use-syslog: YES. $ normal default is YES
	

	Attackers may be able to execute arbitrary code on affected hosts.
	

	log()   function   will   call   syslog(syslog_level,message)   if   set
	use-syslog: YES in rwhoisd.conf file. Unfortunately,message  is  a  user
	supplied format string.
	

	

	demo -----
	 

	[alert7@redhat62 ]# telnet 0 4321

	Trying 0.0.0.0...

	Connected to 0.

	Escape character is \'^]\'.

	%rwhois V-1.5:003fff:00 localhost.localdomain (by Network Solutions, Inc. V-1.5.7-1)

	%p%p%p%p  <------input

	%error 230 No Objects Found

	Connection closed by foreign host.

	

	[alert7@redhat62 ]# tail /var/log/messages

	Nov 21 13:04:06 redhat62 rwhoisd[27697]: CLIENT:127.0.0.1: query: 0xbffff8b00xbffff7fc0x808def80x806be4c

	Nov 21 13:04:06 redhat62 rwhoisd[27697]: CLIENT:127.0.0.1: query response: 0 hits

	

	

SOLUTION

	Comming soon.