[UNIX] Auto Nice Daemon Format String Vulnerability

From: support@securiteam.com
Date: 11/28/01


From: support@securiteam.com
To: list@securiteam.com
Subject: [UNIX] Auto Nice Daemon Format String Vulnerability
Message-Id: <20011128131800.BCE61138BF@mail.der-keiler.de>
Date: Wed, 28 Nov 2001 14:18:00 +0100 (CET)

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -

  Auto Nice Daemon Format String Vulnerability
------------------------------------------------------------------------

SUMMARY

 <http://and.sourceforge.net/> AND (Auto Nice Daemon) is a daemon that
automatically changes a user process if it uses too much CPU time. It can
also kill the process if it goes beyond a defined level.

AND is vulnerable to a format string bug that can be exploited by a local
user to gain higher privileges on the system. The attacker only needs to
run a process with a name containing a format string, like '%n%n%n%n'.

The problem occurs when the program calls the syslog(3) function with the
process name as second parameter. As a user can create a process named as
he wants, it is easy to exploit this vulnerability.

Complete exploitation of this vulnerability can conduct to a privilege
escalation on the system. As the AND process runs as 'root', a local user
could execute arbitrary code with the 'root' privileges.

DETAILS

Vulnerable systems:
AND version 1.0.4 and prior

Immune systems:
AND version 1.0.5

Proof of concept:
It is simple to create a program using a lot of the CPU time with a
special name to exploit this bug:

  % cat foo.c
  int main()
  {
      while (1);
          return 0;
  }
  % gcc foo.c -o %n%n%n%n
  % ./%n%n%n%n

This causes a segmentation fault in the AND daemon.

Solution:
Update AND to version 1.0.5:

 <http://and.sourceforge.net> http://and.sourceforge.net

You can also apply the following patch that fixes the vulnerability:

  diff -dru and-1.0.4/and.c and-1.0.4-patched/and.c
  --- and-1.0.4/and.c Sat Jul 7 21:43:15 2001
  +++ and-1.0.4-patched/and.c Fri Nov 23 11:50:27 2001
  @@ -218,7 +218,7 @@
         fflush(out);
       } else {
         /* write to syslog if in full operations */
  - syslog(LOG_WARNING,buffer);
  + syslog(LOG_WARNING, "%s", buffer);
       }
     }
     va_end(args);

ADDITIONAL INFORMATION

The information has been provided by <mailto:benoit.roussel@intexxia.com>
Benoit Roussel.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.



Relevant Pages

  • IRM025: TIBCO Rendezvous RVD Daemon Remote Memory Leak DoS
    ... TIBCO Rendezvous RVD Daemon Remote Memory Leak DoS ... Vulnerability Type / Importance: Remote DoS / High ... IRM confirmed the presence of this vulnerability in Rendezvous versions ...
    (Bugtraq)
  • [Full-disclosure] IRM025: TIBCO Rendezvous RVD Daemon Remote Memory Leak DoS
    ... TIBCO Rendezvous RVD Daemon Remote Memory Leak DoS ... Vulnerability Type / Importance: Remote DoS / High ... IRM confirmed the presence of this vulnerability in Rendezvous versions ...
    (Full-Disclosure)
  • Re: Phishing - Linux boxes are vulnerable
    ... install some script that will get them hijacked. ... then yes they created the vulnerability. ... There is a difference, I use no daemon that I don't understand the workings of, where as most hosting customers don't even want to know, so long as it does what they want. ... However, if a server is taken because of a vulnerability that I read of and still left that service active, then yes, I would be, and if a server was taken because I ran some new daemon that "did this" and I thought it would be cool to have, and installed it without knowing what was it really does either by design fault or mis-configuration, then again, yes I would be. ...
    (Fedora)
  • McAfee ePolicy Orchestrator Format String Vulnerability (a031703-1)
    ... ePolicy Orchestrator Format String Vulnerability ... on the host they wish to compromise. ... The vendor has made a patch available. ...
    (Bugtraq)
  • [VulnWatch] ePolicy Orchestrator Format String Vulnerability (a031703-1)
    ... ePolicy Orchestrator Format String Vulnerability ... on the host they wish to compromise. ... The vendor has made a patch available. ...
    (VulnWatch)