63616 – Remote Buffer Overflow in Webalizer

Bug 63616 - Remote Buffer Overflow in Webalizer

Summary: Remote Buffer Overflow in Webalizer

Keywords:
Status:	CLOSED RAWHIDE
Alias:	None
Product:	Red Hat Linux
Classification:	Retired
Component:	webalizer
Sub Component:
Version:	7.2
Hardware:	i386
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Than Ngo
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2002-04-16 12:02 UTC by Bruce Garlock
Modified:	2008-05-01 15:38 UTC (History)
CC List:	1 user (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:	2002-04-18 00:20:04 UTC
Embargoed:

Attachments	(Terms of Use)

Description Bruce Garlock 2002-04-16 12:02:18 UTC

From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:0.9.9) Gecko/20020310

Description of problem:
This notice is from securiteam.com:

Remote Buffer Overflow in Webalizer (DNS Resolve)

The Webalizer is a fast, free web server log file analysis program. It produces
highly detailed, easily configurable usage reports in HTML format, for viewing
with a standard web browser. A security vulnerability in the product allows
attackers to cause the program to crash causing it to execute arbitrary code.

Vulnerable systems:
Webalizer version 2.01-09
Webalizer version 2.01-06

The Webalizer has the ability to perform reverse DNS lookups. This ability is
disabled by default, but if enabled, an attacker with control over his DNS
service, has the ability to gain remote root access to a machine, due to a
buffer overflow in the reverse resolving code.

(NOTE: Webalizer version 2.01-06 is part of Red Hat Linux 7.2 distribution,
enabled by default and run daily by the cron daemon.)

Additional Information:
The information has been provided by Spybreak. 

Version-Release number of selected component (if applicable):


How reproducible:
Didn't try

Steps to Reproduce:
1. Use webalizer
2.
3.
	

Actual Results:  I have not confirmed the buffer overflow, however the advisory
states that RH 7.2 is vulnerable.

Additional info:

Comment 1 Than Ngo 2002-04-16 14:39:41 UTC

could you please give a testcase, how to reproduce this bug. Thanks

Comment 2 Bernhard Rosenkraenzer 2002-04-16 18:26:29 UTC

Is this the same problem as the one outlined on 
http://lwn.net/2001/1108/a/webalizer.php3? 
Sounds alike (and this is supposed to be fixed in -09, if you're still seeing 
this problem in -09, please provide a sample exploit or any other hint on why 
you think it's still a problem).

Comment 3 Chris Ricker 2002-04-18 00:19:53 UTC

It is the same.

Brad just released webalizer-2.01-10 which fixes it.  From his bugtraq post:

<quote>
Date: Wed, 17 Apr 2002 02:19:37 -0400 (EDT)
From: Bradford L. Barrett <brad>
To: Franck Coppola <franck>
Cc: Spybreak <spybreak>, bugtraq,
     vulnwatch
Subject: Re: Remote buffer overflow in Webalizer

> Here is a patch to fix the vulnerability (tested against webalizer-2.01-06).

Bad fix.. while it will prevent the buffer from overflowing (which I still
fail to see how can be used to execute a 'root' exploit, even with a LOT
of imagination), but will cause the buffer to be filled with a non-null
terminated string which will do all sorts of nasty things to your output,
not to mention wreak havoc on the stats since you are cutting off the
domain portion, not the hostname part, and adding random garbage at the
end.

Anyway, Version 2.01-10 has been released, which fixes this and a few
other buglets that have been discovered in the last month or so.  Get it
at the usual place (web: www.mrunix.net/webalizer/ or www.webalizer.org
or ftp: ftp.mrunix.net/pub/webalizer/), and should be on the mirror sites
soon.

</quote>

Comment 4 Ngo Than 2002-06-18 19:07:59 UTC

2.01-10 in rawhide.

Note You need to log in before you can comment on or make changes to this bug.