xorl %eax, %eax

CVE-2009-1476: IPFilter Buffer Overflow

leave a comment »

IPFilter (commonly referred as IPF) is a widely deployed software for NAT and firewall services. It is installed by default in major operating systems such as FreeBSD, NetBSD, Solaris etc. This bug was found and reported by Maksymilian Arciemowicz of SecurityReason on 30 April 2009. This issue affects IPFilter 4.1.31 and probably earlier releases too. Here is the vulnerable function from this release:

2  * Copyright (C) 2006 by Darren Reed.
     ...
11 /*
12  * Format expected is one addres per line, at the start of each line.
13  */
14 alist_t *
15 load_http(char *url)
16 {
17         int fd, len, left, port, endhdr, removed;
18         char *s, *t, *u, buffer[1024], *myurl;
19         alist_t *a, *rtop, *rbot;
20         struct sockaddr_in sin;
21         struct hostent *host;
     ...
23         /*
24          * More than this would just be absurd.
25          */
26         if (strlen(url) > 512) {
27                 fprintf(stderr, "load_http has a URL > 512 bytes?!\n");
28                 return NULL;
29         }
     ...
35         sprintf(buffer, "GET %s HTTP/1.0\r\n", url);
     ...
54         sprintf(buffer + strlen(buffer), "Host: %s\r\n\r\n", s);
     ...
182 }


This code is part of lib/load_http.c. This is used to parse an HTTP URL string. The argument passed to it is a URL string. As you can read at line 26, the maximum length for the passed URL is 512 bytes. Character array buffer is 1024 bytes long (line 18). Now… simple calculations are giving us this:

URL max. length      =  512
"Host: \r\n\r\n"     =   10
"GET  HTTP/1.0\r\n"  =   15
Max. hostname        =  504
                  -----------
                       1041

Which is larger than the allocated buffer which is 1024 bytes only. Maksymilian Arciemowicz also noticed that this function is being used by programs like ippool. In my opinion, the best highlight was Henning Brauer’s respond to this bug since it was disclosed in the openbsd-bugs mailing list. He simply said:

and how does that affect OpenBSD?
We replaced ipfilter more than 7years ago.

Written by xorl

May 21, 2009 at 14:48

Posted in bugs, freebsd, netbsd, solaris

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s