| VID |
23008 |
| Severity |
40 |
| Port |
4321 |
| Protocol |
TCP |
| Class |
RWHOIS |
| Detailed Description |
The rwhois daemon is vulnerable to a format string attack when supplied malformed arguments to a malformed request (such as %p%p%p). An attacker may use this flaw to gain a shell on the relevant host.
Rwhosid is a RWHOIS daemon provided by Network Solutions. RWHOIS is a protocol for remote listing of user name, login time, elapsed time online and other pertinent data for users connected to all machines on a network.
When a remote request is logged through the syslog function, the format string passed contains user supplied input. This may lead to memory corruption, and the execution of arbitrary code by rwhoisd. This will only occur when the option "set use-syslog: YES" is set in the rwhoisd.conf file. This option is enabled by default.
*** Note that secuiSCAN solely relied on the banner version to issue this warning. If you manually patched rwhoisd, you may not be vulnerable to this flaw |
| Recommendation |
Disable the rwhois service if not needed
-- OR --
Remove the line 'set use-syslog: YES' from the rwhoisd.conf file.
-- OR --
Upgrade to version 1.5.7.3 or newer |
| Related URL |
CVE-2001-0913 (CVE) |
| Related URL |
3571 (SecurityFocus) |
| Related URL |
(ISS) |
|
