[Benoît Roussel <benoit roussel intexxia com>] [CERT-intexxia] libgtop_daemon Remote Format String Vulnerability



Hi,

can someone please have a look at this and make a new libgtop release
for me ?

Unfortunately, I have no time at all for this for the next two months since
I'm way too busy with my learning.

Thanks in advance,
Martin

--- Begin Message ---
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

________________________________________________________________________
SECURITY ADVISORY                                            INTEXXIA(c)
26 11 2001                                               ID #1048-261101
________________________________________________________________________
TITLE   : libgtop_daemon Remote Format String Vulnerability
CREDITS : Guillaume Pelat / INTEXXIA
________________________________________________________________________


SYSTEM AFFECTED
===============

        libgtop_daemon <= 1.0.12


________________________________________________________________________


DESCRIPTION
===========

        The Laboratory intexxia found a remote exploitable format string
vulnerability in  libgtop_daemon which could cause  privilege escalation
on a remote system.


________________________________________________________________________


DETAILS
=======

        libgtop_daemon is a GNOME daemon used to monitor process running
on a remote system.

        The Laboratory  intexxia  just  found  a  remote  format  string
vulnerability in this daemon. The 2 functions names syslog_message() and
syslog_io_message() are called with a format string which is initialized
by the client.

        By sending a specially  crafted format string  to the server, it
is possible  for a  remote attacker  to execute  arbitrary code  on  the
remote  system  with  the  daemon  permissions. This vulnerability could
cause privilege escalation.

        The permitted() function, that verifies if  the client trying to
to connect is authorized to, is concerned by this flaw.

        The libgtop_daemon daemon is  launched with 'nobody' permissions
by default. Complete  exploitation of this  vulnerability will permit an
attacker to execute code  with the  'nobody' permissions.  But this flaw
could be used to compromize  the local system by  exploiting other local
vulnrabilities.


________________________________________________________________________


PROOF OF CONCEPT
================

        Here is a proof of concept to show where the problem occurs :

Client side :
~ % telnet 127.0.0.1 42800
Trying 127.0.0.1...
Connected to 127.0.0.1.
Escape character is '^]'.
%p%p
Connection closed by foreign host.
~ % telnet 127.0.0.1 42800
Trying 127.0.0.1...
Connected to 127.0.0.1.
Escape character is '^]'.
%n%n
Connection closed by foreign host.

Server side :
~/# libgtop_daemon -f
' from clientn[3877]: Invalid authentication protocol
'0xbffff46c0x804b2ae
libgtop-daemon[3877]: Refused connection from 127.0.0.1.
Segmentation fault


________________________________________________________________________


WORKAROUND
==========

        There is no official solution for the moment. But it is possible
to correct the problem by modifying the file 'src/daemon/gnuserv.c' :

In function syslog_message(), replace :
  syslog (priority, buffer);
by :
  syslog (priority, "%s", buffer);

And in function syslog_io_message(), replace :
  syslog (priority, buffer2);
by :
  syslog (priority, "%s", buffer2);


The Laboratory intexxia  developped the following  patch to correct this
vulnerability :

  diff -dru libgtop-1.0.12/src/daemon/gnuserv.c
  libgtop-1.0.12-patched/src/daemon/gnuserv.c
  --- libgtop-1.0.12/src/daemon/gnuserv.c Mon Nov 26 13:48:14 2001
  +++ libgtop-1.0.12-patched/src/daemon/gnuserv.c Mon Nov 26 13:49:26 2001
  @@ -93,7 +93,7 @@
       vsnprintf (buffer, BUFSIZ-1, format, ap);
       va_end (ap);

  -    syslog (priority, buffer);
  +    syslog (priority, "%s", buffer);
   }
 
   void
  @@ -108,7 +108,7 @@
       va_end (ap);

       snprintf (buffer2, BUFSIZ-1, "%s: %s", buffer, strerror (errno));
  -    syslog (priority, buffer2);
  +    syslog (priority, "%s", buffer2);
   }
 
   /*


________________________________________________________________________


VENDOR STATUS
=============

        26-11-2001 : This  bulletin  was  sent   to  the  libgtop_daemon
                     developpment team.

        This  vulnerability  will be  publically released in  7 days  if 
intexxia  do  not  get  any answer from the libgtop_daemon developpement
team by this time.


________________________________________________________________________


DISCLAIMER
==========

        Intexxia provides these informations as a public service and "as
is". Intexxia  will not be  held accountable for  any damage or distress
caused by the proper or improper usage of these materials.


________________________________________________________________________


DIFFUSION CRITERIA
==================

        (c) Intexxia 2001. These informations are classified restricted
which means that you cannot redistribute it outside the Cert community.


________________________________________________________________________


CONTACT
=======

CERT intexxia                                          cert intexxia com
INTEXXIA                                    Standard : +33 1 55 69 49 10
171, av. Georges Clemenceau                      Fax : +33 1 55 69 78 80
92024 Nanterre Cedex - France

-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 7.0.3 for non-commercial use <http://www.pgp.com>

iQA/AwUBPAJeVk2N8BNyNDXLEQKlpQCeMtU1aAjhCbbJ3Q2/40RPeUNjwQwAniU7
IO6fBykeYUnxEmQkwJKzJuRN
=TexM
-----END PGP SIGNATURE-----




--- End Message ---

-- 
Martin Baulig
martin gnome org



[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]