CVE-2002-0180

• BID:4504
• URL:http://www.securityfocus.com/bid/4504
• BUGTRAQ:20020415 Remote buffer overflow in Webalizer
• URL:http://marc.info/?l=bugtraq&m=101888467527673&w=2
• CERT-VN:VU#582923
• URL:http://www.kb.cert.org/vuls/id/582923
• CONFIRM:http://www.mrunix.net/webalizer/news.html
• XF:webalizer-reverse-dns-bo(8837)
• URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/8837

 Cox> According to the author of Webalizer the issue is not remotely
   exploitable, but this hasn't been confirmed by us yet.  Needs
   investigation.
   
   http://www.mrunix.net/webalizer/news.html
 CHANGE> [Cox changed vote from MODIFY to REVIEWING]
 Cox> Author says this cannot be exploited to execute arbitrary code
 Jones> Description of acknowledged vulnerability indicates remotely
   exploitable (buffer overflow is in code which is processing
   input from a remote system (a DNS server)); root or non-root
   depends on privileges of resolver process (which is likely
   same as privileges of Webalizer process).  So, remotely
   exploitable to run arbitrary code with privileges of the
   Webalizer process.
 Cox> I actually meant that the author doesn't think this is an exploitable
   overflow at all, see 
   
   ---------- Forwarded message ----------
   Date: Wed, 17 Apr 2002 02:19:37 -0400 (EDT)
   From: Bradford L. Barrett <brad@mrunix.net>
   To: Franck Coppola <franck@hosting42.com>
   Cc: Spybreak <spybreak@host.sk>, bugtraq@securityfocus.com,
   vulnwatch@vulnwatch.org
   Subject: Re: Remote buffer overflow in Webalizer
   
   
  > Here is a patch to fix the vulnerability (tested against webalizer-2.01-06).
   
   Bad fix.. while it will prevent the buffer from overflowing (which I still
   fail to see how can be used to execute a 'root' exploit, even with a LOT
   of imagination), but will cause the buffer to be filled with a non-null
   terminated string which will do all sorts of nasty things to your output,
   not to mention wreak havoc on the stats since you are cutting off the
   domain portion, not the hostname part, and adding random garbage at the
   end.
   
   Anyway, Version 2.01-10 has been released, which fixes this and a few
   other buglets that have been discovered in the last month or so.  Get it
   at the usual place (web: www.mrunix.net/webalizer/ or www.webalizer.org
   or ftp: ftp.mrunix.net/pub/webalizer/), and should be on the mirror sites
   soon.
   
   --
   Bradford L. Barrett                      brad@mrunix.net
   A free electron in a sea of neutrons     DoD#1750 KD4NAW
   
   
 Christey> XF:webalizer-reverse-dns-bo(8837)
   URL:http://www.iss.net/security_center/static/8837.php
   BID:4504
   URL:http://www.securityfocus.com/bid/4504
   VULNWATCH:20020415 [VulnWatch] Remote buffer overflow in Webalizer
   URL:http://archives.neohapsis.com/archives/vulnwatch/2002-q2/0017.html
   ENGARDE:ESA-20020423-009
   CONECTIVA:CLA-2002:476
   URL:http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000476
 CHANGE> [Cox changed vote from REVIEWING to ACCEPT]
 Cox> after reviewing I agree with the description given
 Frech> XF: webalizer-reverse-dns-bo(8837)
 Christey> REDHAT:RHSA-2002:254
 Christey> CALDERA:CSSA-2002-036.0
   (note: CVE-2002-1234 was accidentally assigned to that Caldera
   advisory, but this is the correct CAN to use)