COMMAND

	AOLServer DB Proxy Daemon Format String Vulnerability

SYSTEMS AFFECTED

	AOLServer 3.4.2, 3.4.1, 3.4, 3.3.1, 3.2.1, 3.2, 3.1, 3.0

PROBLEM

	From Guillaume  Pelat  of  INTEXXIA  [http://www.intexxia.com]  security
	advisory [ID #1052-300102] :
	

	AOL Server provides an API to develop external database driver proxy  daemons.
	Those daemons are linked to a library (libnspd.a).
	

	The Laboratory intexxia found a format  string  and  a  buffer  overflow
	vulnerability in the \'Ns_PdLog\' function  of  the  library.  Successful
	exploitation of the bug could allow an attacker to execute code and  get
	access on the system.
	

	As  a  result,  all  the  External  Driver  Proxy  Daemons   using   the
	\'Ns_PdLog\'  function  with  the  \'Error\'  or  \'Notice\'   parameter
	are  potentially vulnerable.

SOLUTION

	This vulnerability has been fixed in the current version in  CVS  branch
	nsd_v3_r3_p0 (post-AOLserver 3.4.2) and can be  used  for  any  affected
	version. The patch used was created by intexxia  and  can  be  found  in
	attachment. More  information can  be found  at the  following URL :
	

	 

	http://cvs.sourceforge.net/cgi-bin/viewcvs.cgi/aolserver/aolserver/nspd/log.c.diff?r1=1.4&r2=1.4.6.1

	

	diff -dru aolserver-3.4.2/nspd/log.c aolserver-3.4.2-patched/nspd/log.c

	

	--- aolserver-3.4.2/nspd/log.c	Tue Aug 15 22:24:33 2000

	+++ aolserver-3.4.2-patched/nspd/log.c	Wed Jan 30 09:03:11 2002

	@@ -206,14 +206,13 @@

	             char msgbuf[4096];

	=20

	             va_start(ap, format);

	-            vsprintf(msgbuf, format, ap);

	+            vsnprintf(msgbuf, sizeof (msgbuf), format, ap);

	             va_end(ap);

	-            syslog(priority, msgbuf);

	+            syslog(priority, \"%s\", msgbuf);

	         }

	     }

	 }

	=20

	-=0C

	 /*

	  =

	*----------------------------------------------------------------------

	  *