COMMAND

    BNU uucpd

SYSTEMS AFFECTED

    OSF 1.0, 2.0
    SunOS 4.1.3, 4.1.4
    Solaris 2.2, 2.3, 2.4, 2.5.1
    NetBSD 1.3, 1.3.1
    OpenBSD 2.1, 2.2

PROBLEM

    Matt Conover  (RepSec Team)  found following.   Upon  successfully
    logging  into  a  system  with  uucpd,  the daemon will attempt to
    record  wtmp  information.   However,  due  to insufficient bounds
    checking, a buffer overflow can result when uucpd attempts to copy
    the connecting hostname into a buffer with a predefined size.

    While  overwriting  the  buffer,  the  attacker can manipulate the
    stack and execute their own commands, possibly gaining root access
    into the system.  The attacker must have an account on the system,
    which will allow this to be exploited.  This problem is present in
    BNU uucpd.   This is not  installed by default  on every operating
    system.  This also may not always run as root.

    For  more  information  on  this  type  of  attack, point your web
    browsers to

        http://www.repsec.com/bofs.html

SOLUTION

    A generic  patch has  been made  publically available  by the  RSI
    staff.  For NetBSD's patch please refer to:

        http://www.repsec.com/advisory/0002.patch.html

    Generic patch follows (apply the following patch to uucpd.c):

    --- uucpd.old.c     Thu Feb  6 06:34:45 1997
    +++ uucpd.c    Tue Apr  7 16:37:46 1998
    @@ -300,7 +300,8 @@

                    time(&ll.ll_time);
                    lseek(f, pw->pw_uid * sizeof(struct lastlog), 0);
    -               strcpy(line, remotehost);
    +               strncpy(line, remotehost, sizeof(line)-1);
                    SCPYN(ll.ll_line, line);
                    SCPYN(ll.ll_host, remotehost);
                    (void) write(f, (char *) &ll, sizeof ll);