From Bugzilla Helper: User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:0.9.9) Gecko/20020310 Description of problem: This notice is from securiteam.com: Remote Buffer Overflow in Webalizer (DNS Resolve) The Webalizer is a fast, free web server log file analysis program. It produces highly detailed, easily configurable usage reports in HTML format, for viewing with a standard web browser. A security vulnerability in the product allows attackers to cause the program to crash causing it to execute arbitrary code. Vulnerable systems: Webalizer version 2.01-09 Webalizer version 2.01-06 The Webalizer has the ability to perform reverse DNS lookups. This ability is disabled by default, but if enabled, an attacker with control over his DNS service, has the ability to gain remote root access to a machine, due to a buffer overflow in the reverse resolving code. (NOTE: Webalizer version 2.01-06 is part of Red Hat Linux 7.2 distribution, enabled by default and run daily by the cron daemon.) Additional Information: The information has been provided by Spybreak. Version-Release number of selected component (if applicable): How reproducible: Didn't try Steps to Reproduce: 1. Use webalizer 2. 3. Actual Results: I have not confirmed the buffer overflow, however the advisory states that RH 7.2 is vulnerable. Additional info:
could you please give a testcase, how to reproduce this bug. Thanks
Is this the same problem as the one outlined on http://lwn.net/2001/1108/a/webalizer.php3? Sounds alike (and this is supposed to be fixed in -09, if you're still seeing this problem in -09, please provide a sample exploit or any other hint on why you think it's still a problem).
It is the same. Brad just released webalizer-2.01-10 which fixes it. From his bugtraq post: <quote> Date: Wed, 17 Apr 2002 02:19:37 -0400 (EDT) From: Bradford L. Barrett <brad> To: Franck Coppola <franck> Cc: Spybreak <spybreak>, bugtraq, vulnwatch Subject: Re: Remote buffer overflow in Webalizer > Here is a patch to fix the vulnerability (tested against webalizer-2.01-06). Bad fix.. while it will prevent the buffer from overflowing (which I still fail to see how can be used to execute a 'root' exploit, even with a LOT of imagination), but will cause the buffer to be filled with a non-null terminated string which will do all sorts of nasty things to your output, not to mention wreak havoc on the stats since you are cutting off the domain portion, not the hostname part, and adding random garbage at the end. Anyway, Version 2.01-10 has been released, which fixes this and a few other buglets that have been discovered in the last month or so. Get it at the usual place (web: www.mrunix.net/webalizer/ or www.webalizer.org or ftp: ftp.mrunix.net/pub/webalizer/), and should be on the mirror sites soon. </quote>
2.01-10 in rawhide.