Bug 63616 - Remote Buffer Overflow in Webalizer
Remote Buffer Overflow in Webalizer
Status: CLOSED RAWHIDE
Product: Red Hat Linux
Classification: Retired
Component: webalizer (Show other bugs)
7.2
i386 Linux
medium Severity medium
: ---
: ---
Assigned To: Ngo Than
: Security
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2002-04-16 08:02 EDT by Bruce Garlock
Modified: 2008-05-01 11:38 EDT (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2002-04-17 20:20:04 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Bruce Garlock 2002-04-16 08:02:18 EDT
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:0.9.9) Gecko/20020310

Description of problem:
This notice is from securiteam.com:

Remote Buffer Overflow in Webalizer (DNS Resolve)

The Webalizer is a fast, free web server log file analysis program. It produces
highly detailed, easily configurable usage reports in HTML format, for viewing
with a standard web browser. A security vulnerability in the product allows
attackers to cause the program to crash causing it to execute arbitrary code.

Vulnerable systems:
Webalizer version 2.01-09
Webalizer version 2.01-06

The Webalizer has the ability to perform reverse DNS lookups. This ability is
disabled by default, but if enabled, an attacker with control over his DNS
service, has the ability to gain remote root access to a machine, due to a
buffer overflow in the reverse resolving code.

(NOTE: Webalizer version 2.01-06 is part of Red Hat Linux 7.2 distribution,
enabled by default and run daily by the cron daemon.)

Additional Information:
The information has been provided by Spybreak. 

Version-Release number of selected component (if applicable):


How reproducible:
Didn't try

Steps to Reproduce:
1. Use webalizer
2.
3.
	

Actual Results:  I have not confirmed the buffer overflow, however the advisory
states that RH 7.2 is vulnerable.

Additional info:
Comment 1 Ngo Than 2002-04-16 10:39:41 EDT
could you please give a testcase, how to reproduce this bug. Thanks
Comment 2 Bernhard Rosenkraenzer 2002-04-16 14:26:29 EDT
Is this the same problem as the one outlined on 
http://lwn.net/2001/1108/a/webalizer.php3? 
Sounds alike (and this is supposed to be fixed in -09, if you're still seeing 
this problem in -09, please provide a sample exploit or any other hint on why 
you think it's still a problem).
Comment 3 Chris Ricker 2002-04-17 20:19:53 EDT
It is the same.

Brad just released webalizer-2.01-10 which fixes it.  From his bugtraq post:

<quote>
Date: Wed, 17 Apr 2002 02:19:37 -0400 (EDT)
From: Bradford L. Barrett <brad@mrunix.net>
To: Franck Coppola <franck@hosting42.com>
Cc: Spybreak <spybreak@host.sk>, bugtraq@securityfocus.com,
     vulnwatch@vulnwatch.org
Subject: Re: Remote buffer overflow in Webalizer


> Here is a patch to fix the vulnerability (tested against webalizer-2.01-06).

Bad fix.. while it will prevent the buffer from overflowing (which I still
fail to see how can be used to execute a 'root' exploit, even with a LOT
of imagination), but will cause the buffer to be filled with a non-null
terminated string which will do all sorts of nasty things to your output,
not to mention wreak havoc on the stats since you are cutting off the
domain portion, not the hostname part, and adding random garbage at the
end.

Anyway, Version 2.01-10 has been released, which fixes this and a few
other buglets that have been discovered in the last month or so.  Get it
at the usual place (web: www.mrunix.net/webalizer/ or www.webalizer.org
or ftp: ftp.mrunix.net/pub/webalizer/), and should be on the mirror sites
soon.

</quote>
Comment 4 Ngo Than 2002-06-18 15:07:59 EDT
2.01-10 in rawhide.

Note You need to log in before you can comment on or make changes to this bug.