Solar Designer (solar@FALSE.COM)
Wed, 31 Dec 1997 04:47:04 -0300


Well, this problem is too simple, so I'm not even sure it's worth posting,
but here it is anyway. This applies to vhost v0.4, available at:

Its README says:
For each "nowait" service in /etc/inetd.conf, you "insert"
/usr/sbin/vhost before the command (before /usr/sbin/tcpd
generally). After doing a "killall -HUP inetd", you will be
able to setup virtual hosts. Normal operation won't be affected.

This is wrong, normal operation IS affected, in such a way that tcpd is
simply not used. This means no connection logging for many services, and
no hosts.allow/hosts.deny access control. However, the services continue
working, so it's possible the admin will not notice the problem.

There're also buffer overflows, and missing syscall return value checks.
If, for some reason, chroot() succeeds, but chdir() doesn't, then someone
might be able to login with their virtual host password, and then break
out of chroot()...

Below is a quick and dirty patch that fixes the above problems. The real
fix would be re-coding, since the whole thing (which is only 4 Kb of C
source) looks quite broken. For example, it updates password files with
no locking, while there can be multiple connections at a time.

--- vhost.c.orig Wed Aug 20 07:53:39 1997
+++ vhost.c Tue Dec 30 07:40:54 1997
@@ -163,7 +163,7 @@

int main (int argc, char *argv[])
- char domain[PATH_MAX];
+ char domain[PATH_MAX - 80];
openlog ("vhost",LOG_PID,LOG_DAEMON);
if (vhost_getourname(domain,sizeof(domain))!=-1
&& vhost_finddomain (domain)!=-1){
@@ -174,14 +174,13 @@
if (file_date(pathetc)!=0){
vhost_setuppasswd (domain);
syslog (LOG_NOTICE,"Changing directory/root to %s",path);
- chdir (path);
- chroot (path);
+ if (chdir (path) || chroot (path)) return 1;
syslog (LOG_NOTICE,"No /etc directory for vdomain %s: using main domain"
- execv (argv[1],argv+1);
+ execv (argv[0],argv+1);
return 1;

P.S. And now, here's a little New Year present to those of you who just got
that new Intel chip with the Password Cracking Extension in it, called MMX
for some unknown reason. This is a quick hack, and proof of concept only, so
I don't release the sources yet, but you can get the Linux ELF binary (MMX
_required_) at http://www.false.com/security/john/. Still, I think some of
you will enjoy the 30% speedup on a Pentium II, compared to my previous best
non-MMX x86 assembly version running on the same CPU. This one does 33K c/s
raw on a P-II at 233 MHz that I was testing on, so that you can compare. :-)

Solar Designer