Bug 63616

Summary: Remote Buffer Overflow in Webalizer
Product: [Retired] Red Hat Linux Reporter: Bruce Garlock <bruce>
Component: webalizerAssignee: Than Ngo <than>
Status: CLOSED RAWHIDE QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: 7.2CC: chris.ricker
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: i386   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2002-04-18 00:20:04 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Bruce Garlock 2002-04-16 12:02:18 UTC 
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:0.9.9) Gecko/20020310

Description of problem:
This notice is from securiteam.com:

Remote Buffer Overflow in Webalizer (DNS Resolve)

The Webalizer is a fast, free web server log file analysis program. It produces
highly detailed, easily configurable usage reports in HTML format, for viewing
with a standard web browser. A security vulnerability in the product allows
attackers to cause the program to crash causing it to execute arbitrary code.

Vulnerable systems:
Webalizer version 2.01-09
Webalizer version 2.01-06

The Webalizer has the ability to perform reverse DNS lookups. This ability is
disabled by default, but if enabled, an attacker with control over his DNS
service, has the ability to gain remote root access to a machine, due to a
buffer overflow in the reverse resolving code.

(NOTE: Webalizer version 2.01-06 is part of Red Hat Linux 7.2 distribution,
enabled by default and run daily by the cron daemon.)

Additional Information:
The information has been provided by Spybreak. 

Version-Release number of selected component (if applicable):


How reproducible:
Didn't try

Steps to Reproduce:
1. Use webalizer
2.
3.
	

Actual Results:  I have not confirmed the buffer overflow, however the advisory
states that RH 7.2 is vulnerable.

Additional info:
Comment 1 Than Ngo 2002-04-16 14:39:41 UTC 
could you please give a testcase, how to reproduce this bug. Thanks
Comment 2 Bernhard Rosenkraenzer 2002-04-16 18:26:29 UTC 
Is this the same problem as the one outlined on 
http://lwn.net/2001/1108/a/webalizer.php3? 
Sounds alike (and this is supposed to be fixed in -09, if you're still seeing 
this problem in -09, please provide a sample exploit or any other hint on why 
you think it's still a problem).
Comment 3 Chris Ricker 2002-04-18 00:19:53 UTC 
It is the same.

Brad just released webalizer-2.01-10 which fixes it.  From his bugtraq post:

<quote>
Date: Wed, 17 Apr 2002 02:19:37 -0400 (EDT)
From: Bradford L. Barrett <brad>
To: Franck Coppola <franck>
Cc: Spybreak <spybreak>, bugtraq,
     vulnwatch
Subject: Re: Remote buffer overflow in Webalizer


> Here is a patch to fix the vulnerability (tested against webalizer-2.01-06).

Bad fix.. while it will prevent the buffer from overflowing (which I still
fail to see how can be used to execute a 'root' exploit, even with a LOT
of imagination), but will cause the buffer to be filled with a non-null
terminated string which will do all sorts of nasty things to your output,
not to mention wreak havoc on the stats since you are cutting off the
domain portion, not the hostname part, and adding random garbage at the
end.

Anyway, Version 2.01-10 has been released, which fixes this and a few
other buglets that have been discovered in the last month or so.  Get it
at the usual place (web: www.mrunix.net/webalizer/ or www.webalizer.org
or ftp: ftp.mrunix.net/pub/webalizer/), and should be on the mirror sites
soon.

</quote>
Comment 4 Ngo Than 2002-06-18 19:07:59 UTC 
2.01-10 in rawhide.