TUCoPS :: Linux :: General :: lnx4881.htm

Gnome - libgtop_daemon format string vulnerability
28th Nov 2001 [SBWID-4881]
COMMAND

	libgtop_daemon format  string vulnerability

SYSTEMS AFFECTED

	libgtop_daemon <= 1.0.12

PROBLEM

	Based on Guillaume Pelat [www.intexxia.com] advisory :
	

	The 2  functions  named  syslog_message()  and  syslog_io_message()  are
	called with a format string which is  initialized  by  the  client.  The
	permitted() function, that verifies if the client trying to  to  connect
	is authorized to, is concerned by this flaw. The  libgtop_daemon  daemon
	is launched with \'nobody\' permissions by default. Complete  exploitation
	of this vulnerability will permit an attacker to execute code  with  the
	\'nobody\' permissions.
	

	exemple :
	 

	Client side :

	~ % telnet 127.0.0.1 42800

	Trying 127.0.0.1...

	Connected to 127.0.0.1.

	Escape character is \'^]\'.

	%p%p

	Connection closed by foreign host.

	~ % telnet 127.0.0.1 42800

	Trying 127.0.0.1...

	Connected to 127.0.0.1.

	Escape character is \'^]\'.

	%n%n

	Connection closed by foreign host.

	

	Server side :

	~/# libgtop_daemon -f

	\' from clientn[3877]: Invalid authentication protocol

	\'0xbffff46c0x804b2ae

	libgtop-daemon[3877]: Refused connection from 127.0.0.1.

	Segmentation fault

	

	

	 Update

	 ======

	

	Favio found additional problems :
	

	When investigating this issue I noticed another  big  security  hole  in
	the daemon. It\'s a buffer overflow in the  same  permitted()  function,
	which may allow the client to execute code on the  server.  Here\'s  the
	code:
	 

	permitted (u_long host_addr, int fd)

	{

	(...)

	    char buf[1024];

	    int auth_data_len;

	(...)

	        if (timed_read (fd, buf, 10, AUTH_TIMEOUT, 1) <= 0)

	            return FALSE;

	

	        auth_data_len = atoi (buf);

	

	        if (timed_read (fd, buf, auth_data_len, AUTH_TIMEOUT, 0) != auth_data_le

	n)

	            return FALSE;

	

	Here you can see the bug in action:
	 

	$ perl -e \'print \"MAGIC-1\\0\\0\\0\\0\\0\\0\\0\\0\". \"2000\\0\\0\\0\\0\\0\\0\". (\"A\"x2000)\' | \\

	   nc localhost 42800

	

	

SOLUTION

	Although there is an official solution, here is the  way  to  patch  the
	sources to resolve this problem. The file  \'src/daemon/gnuserv.c\'  must
	be modified :
	 

	In function syslog_message(), replace :

	  syslog (priority, buffer);

	by :

	  syslog (priority, \"%s\", buffer);

	

	And in function syslog_io_message(), replace :

	  syslog (priority, buffer2);

	by :

	  syslog (priority, \"%s\", buffer2);

	

	

	The Laboratory intexxia developped the following patch to  correct  this
	vulnerability. However, the  simplest  and  probably  the  best  way  to
	resolve this issue is to install the new version at the  above  link  in
	the solution section :
	 

	  diff -dru libgtop-1.0.12/src/daemon/gnuserv.c

	  libgtop-1.0.12-patched/src/daemon/gnuserv.c

	  --- libgtop-1.0.12/src/daemon/gnuserv.c Mon Nov 26 13:48:14 2001

	  +++ libgtop-1.0.12-patched/src/daemon/gnuserv.c Mon Nov 26 13:49:26 2001

	  @@ -93,7 +93,7 @@

	       vsnprintf (buffer, BUFSIZ-1, format, ap);

	       va_end (ap);

	

	  -    syslog (priority, buffer);

	  +    syslog (priority, \"%s\", buffer);

	   }

	 

	   void

	  @@ -108,7 +108,7 @@

	       va_end (ap);

	

	       snprintf (buffer2, BUFSIZ-1, \"%s: %s\", buffer, strerror (errno));

	  -    syslog (priority, buffer2);

	  +    syslog (priority, \"%s\", buffer2);

	   }

	 

	   /*

	

	

	 Update

	 ======

	

	Additional patch from Flavio :
	

	Here goes the patch. It should be applied against  1.0.13  (released  on
	2001-11-27). Notice that this new version  _already_  fixed  the  format
	bug, but _not_ the buffer overflow. You should apply the patch  or  wait
	for 1.0.14.
	

	 

	diff -Nru libgtop-1.0.13.orig/src/daemon/gnuserv.c libgtop-1.0.13/src/daemon/gnuserv.c

	--- libgtop-1.0.13.orig/src/daemon/gnuserv.c	Mon Nov 26 20:37:59 2001

	+++ libgtop-1.0.13/src/daemon/gnuserv.c	Tue Nov 27 09:16:16 2001

	@@ -200,6 +200,12 @@

	

	 	auth_data_len = atoi (buf);

	

	+	if (auth_data_len < 1 || auth_data_len > sizeof(buf)) {

	+	    syslog_message(LOG_WARNING,

	+			   \"Invalid data length supplied by client\");

	+	    return FALSE;

	+	}

	+

	 	if (timed_read (fd, buf, auth_data_len, AUTH_TIMEOUT, 0) != auth_data_len)

	 	    return FALSE;

	

	

	-- 

	

	

	FreeBsd patch :
	 

	[i386] 

	ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/devel/libgtop-1.0.12_1.tar.gz ( \'ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/devel/libgtop-1.0.12_1.tar.gz\' ) 

	ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/devel/libgtop-1.0.12_1.tar.gz ( \'ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/devel/libgtop-1.0.12_1.tar.gz\' )

	

	[alpha]

	Packages are not automatically generated for the alpha architecture at

	this time due to lack of build resources.

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH