Re: [Benoît Roussel <benoit roussel intexxia com>] [CERT-intexxia] libgtop_daemon Remote Format String Vulnerability

From: Flavio Veloso <flaviovs magnux com>
To: Martin Baulig <martin home-of-linux org>
Cc: <gnome-hackers gnome org>, Benoît Roussel <benoit roussel intexxia com>
Subject: Re: [Benoît Roussel <benoit roussel intexxia com>] [CERT-intexxia] libgtop_daemon Remote Format String Vulnerability
Date: Tue, 27 Nov 2001 09:54:46 -0200 (BRST)

On 26 Nov 2001, Martin Baulig wrote:

Hi.

While investigating this issue I noticed another big security hole in
the libgtop daemon. There's a trivial buffer overflow in the very same
permitted() function, which may allow the client to execute code on
the server. This is as serious as the previus bug reported by
INTEXXIA. Here's the buggy code:

permitted (u_long host_addr, int fd)
{
(...)
    char buf[1024];
    int auth_data_len;
(...)
        if (timed_read (fd, buf, 10, AUTH_TIMEOUT, 1) <= 0)
            return FALSE;

        auth_data_len = atoi (buf);

        if (timed_read (fd, buf, auth_data_len, AUTH_TIMEOUT, 0) != auth_data_le
n)
            return FALSE;

Here you can see the bug in action:

$ perl -e 'print "MAGIC-1\0\0\0\0\0\0\0\0". "2000\0\0\0\0\0\0". ("A"x2000)' | \
   nc localhost 42800

Here goes the patch. It should be applied against 1.0.13 (released
today):

diff -Nru libgtop-1.0.13.orig/src/daemon/gnuserv.c libgtop-1.0.13/src/daemon/gnuserv.c
--- libgtop-1.0.13.orig/src/daemon/gnuserv.c	Mon Nov 26 20:37:59 2001
+++ libgtop-1.0.13/src/daemon/gnuserv.c	Tue Nov 27 09:16:16 2001
@@ -200,6 +200,12 @@

 	auth_data_len = atoi (buf);

+	if (auth_data_len < 1 || auth_data_len > sizeof(buf)) {
+	    syslog_message(LOG_WARNING,
+			   "Invalid data length supplied by client");
+	    return FALSE;
+	}
+
 	if (timed_read (fd, buf, auth_data_len, AUTH_TIMEOUT, 0) != auth_data_len)
 	    return FALSE;

Here's the src/daemon/ChangeLog entry:

2001-11-27  Flavio Veloso  <flaviovs magnux com>

	* gnuserv.c: Fix a potential buffer overflow in permitted() that
	may allow the client to execute code on the server.



> can someone please have a look at this and make a new libgtop release
> for me ?
>
> Unfortunately, I have no time at all for this for the next two months since
> I'm way too busy with my learning.
>
> ________________________________________________________________________
> SECURITY ADVISORY                                            INTEXXIA(c)
> 26 11 2001                                               ID #1048-261101
> ________________________________________________________________________
> TITLE   : libgtop_daemon Remote Format String Vulnerability
> CREDITS : Guillaume Pelat / INTEXXIA
> ________________________________________________________________________
>
>
> SYSTEM AFFECTED
> ===============
>
>         libgtop_daemon <= 1.0.12
>
>
> ________________________________________________________________________
>
>
> DESCRIPTION
> ===========
>
>         The Laboratory intexxia found a remote exploitable format string
> vulnerability in  libgtop_daemon which could cause  privilege escalation
> on a remote system.

--
Flávio



_______________________________________________
gnome-hackers mailing list
gnome-hackers gnome org
http://mail.gnome.org/mailman/listinfo/gnome-hackers

References:
- [Benoît Roussel <benoit roussel intexxia com>] [CERT-intexxia] libgtop_daemon Remote Format String Vulnerability
  - From: Martin Baulig

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]