[Benoît Roussel <benoit roussel intexxia com>] [CERT-intexxia] libgtop_daemon Remote Format String Vulnerability
- From: Martin Baulig <martin home-of-linux org>
- To: gnome-hackers gnome org
- Subject: [Benoît Roussel <benoit roussel intexxia com>] [CERT-intexxia] libgtop_daemon Remote Format String Vulnerability
- Date: 26 Nov 2001 22:51:09 +0100
Hi,
can someone please have a look at this and make a new libgtop release
for me ?
Unfortunately, I have no time at all for this for the next two months since
I'm way too busy with my learning.
Thanks in advance,
Martin
--- Begin Message ---
- From: Benoît Roussel <benoit roussel intexxia com>
- To: <martin home-of-linux org>
- Cc: "CERT - INTEXXIA" <cert intexxia com>
- Subject: [CERT-intexxia] libgtop_daemon Remote Format String Vulnerability
- Date: Mon, 26 Nov 2001 16:23:05 +0100
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
________________________________________________________________________
SECURITY ADVISORY INTEXXIA(c)
26 11 2001 ID #1048-261101
________________________________________________________________________
TITLE : libgtop_daemon Remote Format String Vulnerability
CREDITS : Guillaume Pelat / INTEXXIA
________________________________________________________________________
SYSTEM AFFECTED
===============
libgtop_daemon <= 1.0.12
________________________________________________________________________
DESCRIPTION
===========
The Laboratory intexxia found a remote exploitable format string
vulnerability in libgtop_daemon which could cause privilege escalation
on a remote system.
________________________________________________________________________
DETAILS
=======
libgtop_daemon is a GNOME daemon used to monitor process running
on a remote system.
The Laboratory intexxia just found a remote format string
vulnerability in this daemon. The 2 functions names syslog_message() and
syslog_io_message() are called with a format string which is initialized
by the client.
By sending a specially crafted format string to the server, it
is possible for a remote attacker to execute arbitrary code on the
remote system with the daemon permissions. This vulnerability could
cause privilege escalation.
The permitted() function, that verifies if the client trying to
to connect is authorized to, is concerned by this flaw.
The libgtop_daemon daemon is launched with 'nobody' permissions
by default. Complete exploitation of this vulnerability will permit an
attacker to execute code with the 'nobody' permissions. But this flaw
could be used to compromize the local system by exploiting other local
vulnrabilities.
________________________________________________________________________
PROOF OF CONCEPT
================
Here is a proof of concept to show where the problem occurs :
Client side :
~ % telnet 127.0.0.1 42800
Trying 127.0.0.1...
Connected to 127.0.0.1.
Escape character is '^]'.
%p%p
Connection closed by foreign host.
~ % telnet 127.0.0.1 42800
Trying 127.0.0.1...
Connected to 127.0.0.1.
Escape character is '^]'.
%n%n
Connection closed by foreign host.
Server side :
~/# libgtop_daemon -f
' from clientn[3877]: Invalid authentication protocol
'0xbffff46c0x804b2ae
libgtop-daemon[3877]: Refused connection from 127.0.0.1.
Segmentation fault
________________________________________________________________________
WORKAROUND
==========
There is no official solution for the moment. But it is possible
to correct the problem by modifying the file 'src/daemon/gnuserv.c' :
In function syslog_message(), replace :
syslog (priority, buffer);
by :
syslog (priority, "%s", buffer);
And in function syslog_io_message(), replace :
syslog (priority, buffer2);
by :
syslog (priority, "%s", buffer2);
The Laboratory intexxia developped the following patch to correct this
vulnerability :
diff -dru libgtop-1.0.12/src/daemon/gnuserv.c
libgtop-1.0.12-patched/src/daemon/gnuserv.c
--- libgtop-1.0.12/src/daemon/gnuserv.c Mon Nov 26 13:48:14 2001
+++ libgtop-1.0.12-patched/src/daemon/gnuserv.c Mon Nov 26 13:49:26 2001
@@ -93,7 +93,7 @@
vsnprintf (buffer, BUFSIZ-1, format, ap);
va_end (ap);
- syslog (priority, buffer);
+ syslog (priority, "%s", buffer);
}
void
@@ -108,7 +108,7 @@
va_end (ap);
snprintf (buffer2, BUFSIZ-1, "%s: %s", buffer, strerror (errno));
- syslog (priority, buffer2);
+ syslog (priority, "%s", buffer2);
}
/*
________________________________________________________________________
VENDOR STATUS
=============
26-11-2001 : This bulletin was sent to the libgtop_daemon
developpment team.
This vulnerability will be publically released in 7 days if
intexxia do not get any answer from the libgtop_daemon developpement
team by this time.
________________________________________________________________________
DISCLAIMER
==========
Intexxia provides these informations as a public service and "as
is". Intexxia will not be held accountable for any damage or distress
caused by the proper or improper usage of these materials.
________________________________________________________________________
DIFFUSION CRITERIA
==================
(c) Intexxia 2001. These informations are classified restricted
which means that you cannot redistribute it outside the Cert community.
________________________________________________________________________
CONTACT
=======
CERT intexxia cert intexxia com
INTEXXIA Standard : +33 1 55 69 49 10
171, av. Georges Clemenceau Fax : +33 1 55 69 78 80
92024 Nanterre Cedex - France
-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 7.0.3 for non-commercial use <http://www.pgp.com>
iQA/AwUBPAJeVk2N8BNyNDXLEQKlpQCeMtU1aAjhCbbJ3Q2/40RPeUNjwQwAniU7
IO6fBykeYUnxEmQkwJKzJuRN
=TexM
-----END PGP SIGNATURE-----
--- End Message ---
--
Martin Baulig
martin gnome org
[
Date Prev][
Date Next] [
Thread Prev][
Thread Next]
[
Thread Index]
[
Date Index]
[
Author Index]
