COMMAND

	Perdition format string vulnerability

SYSTEMS AFFECTED

	Perdition 0.1.8 (libvanessa_logger 0.0.1)

PROBLEM

	GOBBLES Security reported [http://www.bugtraq.org/] :
	

	--snip--
	

	There exists a format string vulnerability in libvanessa_logger  library
	used by program perdition which  allow  remote  penetrator  to  takeover
	admin\'s server and he emails :(
	

	

	  $ id

	  uid=1001(GOBBLES) gid=1001(GOBBLES) groups=1001(GOBBLES)

	  $ #  just making sure we are unpriviledged user!

	  $

	  $ telnet 0 110

	  Trying 0.0.0.0...

	  Connected to 0.

	  Escape character is \'^]\'.

	  +OK POP3 Ready freegobbles.bugtraq.org

	  USER GOBBLES_IS_TAKING_A_WALK_ON_HE_STACK->%p-%p-%p

	  +OK USER GOBBLES_IS_TAKING_A_WALK_ON_HE_STACK->%p-%p-%p set

	  PASS HEHEHE!

	

	

	In systemlogs logged by program syslogd, GOBBLES notices:
	

	  Dec 18 06:23:36 freegobbles perdition[42804]: Connect: user=\"GOBBLES_IS_TAKING_A_WALK_ON_HE_STACK->0x8053140-0xbfbffb78-0x2807cc6c\" server=\"(null)\" port=\"110\"

	

	While playing around a bit stupid program perdition suddenly dies :-(
	 

	  Dec 18 16:24:53 freegobbles perdition[42898]: Exiting on signal 11

	

	GOBBLES Labs find it to be  very  difficult  bug  to  exploit  but  then
	GOBBLES member Simon came up with clever thing and  8  hours  later  our
	team got a bash# from it hehehe.
	

	GOBBLES won\'t release an exploit this time because perdition appear  to
	be widely used (music&spam site mp3.com use perdition  program)  and
	there are plenty of rpms, debs etc with  indirect  vulnerable  perdition
	program out there.
	

	--snap--

SOLUTION

	As a temporary fix GOBBLES modified libvanessa_logger.c:
	 

	-      syslog(priority, vl->buffer);

	+      syslog(priority, \"%s\", vl->buffer);

	

	

	FreeBSD upgrade :
	

	    vanessa_logger 0.0.2 is available from

	    ftp://ftp.vergenet.net/pub/vanessa/vanessa_logger/0.0.2