[UNIX] Formatting String Bug in Cyrus-SASL Library
From: support@securiteam.comDate: 11/03/01
- Previous message: support@securiteam.com: "[NEWS] Widespread Exploitation of SSH CRC32 Compensation Attack"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: support@securiteam.com To: list@securiteam.com Subject: [UNIX] Formatting String Bug in Cyrus-SASL Library Message-Id: <20011103194912.96B7E138BF@mail.der-keiler.de> Date: Sat, 3 Nov 2001 20:49:12 +0100 (CET)
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -
Formatting String Bug in Cyrus-SASL Library
------------------------------------------------------------------------
SUMMARY
<http://asg.web.cmu.edu/sasl/> SASL is the Simple Authentication and
Security Layer, a method for adding authentication support to
connection-based protocols.
A security vulnerability in the product allows attackers to utilize a
format string attack causing the product to execute arbitrary code.
DETAILS
Vulnerable systems:
Cyrus-SASL version 1.5.24
Immune systems:
Cyrus-SASL version 1.5.27
NOTE: Cyrus-SASL library is used on applications such as Cyrus Imapd,
OpenLDAP, Sendmail, etc.
The last non-beta version of Cyrus-SASL library suffers from a formatting
string bug in the default logging callback.
Generally Cyrus plugins does not log username or similar data to log, but
there is at least one plugin which seems indirectly call that function
with user supplied data. You may also want check if there is bad data
logged in case of protocol errors.
Default Cyrus SASL logging callback is:
static int _sasl_syslog(void *context __attribute__((unused)),
int priority,
const char *message)
On end of that function there is:
/* do the syslog call. do not need to call openlog */
syslog(syslog_priority | LOG_AUTH, message);
return SASL_OK;
}
Syslog takes format string as argument.
That is cyrus-sasl-1.5.24. That is latest non-beta version on
<ftp://ftp.andrew.cmu.edu/pub/cyrus-mail/>
ftp://ftp.andrew.cmu.edu/pub/cyrus-mail/
Solution:
Download the latest version of the program from:
<ftp://ftp.andrew.cmu.edu/pub/cyrus-mail/BETA/cyrus-sasl-1.5.27.tar.gz>
ftp://ftp.andrew.cmu.edu/pub/cyrus-mail/BETA/cyrus-sasl-1.5.27.tar.gz
Patch:
--- lib/common.c.orig Maanantai Hein?kuu 17 20:21:02 2000
+++ lib/common.c Tiistai Lokakuu 2 12:31:13 2001
@@ -596,7 +596,9 @@
}
/* do the syslog call. do not need to call openlog */
- syslog(syslog_priority | LOG_AUTH, message);
+
+ /* Patched by Kari Hurtta -- 2001-10-02 */
+ syslog(syslog_priority | LOG_AUTH, "%s", message);
return SASL_OK;
}
ADDITIONAL INFORMATION
The information has been provided by <mailto:hurtta+zz@leija.mh.fmi.fi>
Kari Hurtta.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: support@securiteam.com: "[NEWS] Widespread Exploitation of SSH CRC32 Compensation Attack"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
