27th Nov 2001 [SBWID-4877]
COMMAND
Auto Nice Daemon Format String Vulnerability
SYSTEMS AFFECTED
AND <= 1.0.4
PROBLEM
Guillaume Pelat [www.intexxia.com] says :
AND (Auto Nice Daemon, http://and.sourceforge.net/) is a daemon which
allows to automatically change a user process if it uses too much CPU
time. It can also kill the process if it goes beyond a defined level.
AND is vulnerable to a format string bug. A local user can exploit this
issue to gain higher privileges on the local system. He only need to
run a process with a name containing a format string, like
\'%n%n%n%n\'.
The problem occurs when the program calls the syslog(3) function with
the process name as second parameter. As a user can create a process
named as he wants, it is easy to exploit this vulnerability.
Complete exploitation of this vulnerability can conduct to a privilege
escalation on the system. As the AND process runs as \'root\', a local
user could execute arbitrary code with the \'root\' privileges.
PROOF OF CONCEPT
================
It is simple to create a program using a lot of the CPU time with a special
name to exploit this bug :
% cat foo.c
int main()
{
while (1);
return 0;
}
% gcc foo.c -o %n%n%n%n
% ./%n%n%n%n
This causes a segmentation fault in the AND daemon.
SOLUTION
There is an official solution right now. It can be found on the
following web site. Update AND to the version 1.0.5 :
http://and.sourceforge.net
You can also apply the following patch which fixes the vulnerability :
diff -dru and-1.0.4/and.c and-1.0.4-patched/and.c
--- and-1.0.4/and.c Sat Jul 7 21:43:15 2001
+++ and-1.0.4-patched/and.c Fri Nov 23 11:50:27 2001
@@ -218,7 +218,7 @@
fflush(out);
} else {
/* write to syslog if in full operations */
- syslog(LOG_WARNING,buffer);
+ syslog(LOG_WARNING, \"%s\", buffer);
}
}
va_end(args);
TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH
