[UNIX] Auto Nice Daemon Format String Vulnerability
From: support@securiteam.comDate: 11/28/01
- Previous message: support@securiteam.com: "[NEWS] GRC.com Can be Used to Scan Arbitrary IP Addresses"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: support@securiteam.com To: list@securiteam.com Subject: [UNIX] Auto Nice Daemon Format String Vulnerability Message-Id: <20011128131800.BCE61138BF@mail.der-keiler.de> Date: Wed, 28 Nov 2001 14:18:00 +0100 (CET)
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -
Auto Nice Daemon Format String Vulnerability
------------------------------------------------------------------------
SUMMARY
<http://and.sourceforge.net/> AND (Auto Nice Daemon) is a daemon that
automatically changes a user process if it uses too much CPU time. It can
also kill the process if it goes beyond a defined level.
AND is vulnerable to a format string bug that can be exploited by a local
user to gain higher privileges on the system. The attacker only needs to
run a process with a name containing a format string, like '%n%n%n%n'.
The problem occurs when the program calls the syslog(3) function with the
process name as second parameter. As a user can create a process named as
he wants, it is easy to exploit this vulnerability.
Complete exploitation of this vulnerability can conduct to a privilege
escalation on the system. As the AND process runs as 'root', a local user
could execute arbitrary code with the 'root' privileges.
DETAILS
Vulnerable systems:
AND version 1.0.4 and prior
Immune systems:
AND version 1.0.5
Proof of concept:
It is simple to create a program using a lot of the CPU time with a
special name to exploit this bug:
% cat foo.c
int main()
{
while (1);
return 0;
}
% gcc foo.c -o %n%n%n%n
% ./%n%n%n%n
This causes a segmentation fault in the AND daemon.
Solution:
Update AND to version 1.0.5:
<http://and.sourceforge.net> http://and.sourceforge.net
You can also apply the following patch that fixes the vulnerability:
diff -dru and-1.0.4/and.c and-1.0.4-patched/and.c
--- and-1.0.4/and.c Sat Jul 7 21:43:15 2001
+++ and-1.0.4-patched/and.c Fri Nov 23 11:50:27 2001
@@ -218,7 +218,7 @@
fflush(out);
} else {
/* write to syslog if in full operations */
- syslog(LOG_WARNING,buffer);
+ syslog(LOG_WARNING, "%s", buffer);
}
}
va_end(args);
ADDITIONAL INFORMATION
The information has been provided by <mailto:benoit.roussel@intexxia.com>
Benoit Roussel.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: support@securiteam.com: "[NEWS] GRC.com Can be Used to Scan Arbitrary IP Addresses"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
