RWhois vulnerability
Updated 11/27/01
CAN 2001-0838
CAN 2001-0913
Impact
A remote attacker could execute arbitrary commands on
the server.
Background
RWhois (Referral Whois)
is a protocol which provides directory services which distribute
information about domains and IP networks. It is an extension
of the whois
protocol.
The Problem
10/29/01
CAN 2001-0838
The daemon which implements the RWhois service (rwhoisd)
is affected by a format string vulnerability in the print_error
function. It is possible for a remote attacker to specify the
format string through the -soa directive, allowing
him or her to overwrite process memory. Arbitrary commands could
be executed by sending a specially crafted request. Versions of RWhois
up through 1.5.7.1 are affected by this vulnerability.
11/27/01
CAN 2001-0913
Due to a second, unrelated format string vulnerability in rwhoisd,
it is also possible for a remote attacker to execute arbitrary commands
using the syslog() function. This vulnerability can
only be exploited if the use-syslog variable
is set to YES, which is the case by default. Versions of
RWhois up through 1.5.7.2 are affected by this vulnerability.
Resolution
Apply a vendor patch or upgrade when one becomes available.
Until a patch or upgrade is available, it would be advisable to
disable rwhoisd or block access to TCP port 4321
at the network perimeter.
Where can I read more about this?
See the following two postings to Bugtraq:
222756 and.
241965.