[UNIX] Perdition/Vanessa_logger Format String Vulnerability

From: support@securiteam.com
Date: 12/26/01 

From: support@securiteam.com
To: list@securiteam.com
Date: Wed, 26 Dec 2001 09:58:38 +0100 (CET)

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -

  Perdition/Vanessa_logger Format String Vulnerability
------------------------------------------------------------------------

SUMMARY

 <http://www.ca.us.vergenet.net/linux/perdition/> Perdition allows users
to connect to a content-free POP3 or IMAP4 server that will redirect them
to their real POP3 or IMAP4 server. There is a format string vulnerability
in the libvanessa_logger library used by program perdition that allow
remote attacker to takeover administrator's server.

DETAILS

Vulnerable systems:
Perdition version 0.1.8 and prior

Immune systems:
Perdition version 0.1.9

Example:
$ telnet 0 110
Trying 0.0.0.0...
Connected to 0.
Escape character is '^]'.
+OK POP3 Ready freegobbles.bugtraq.org
USER GOBBLES_IS_TAKING_A_WALK_ON_HE_STACK->%p-%p-%p
+OK USER GOBBLES_IS_TAKING_A_WALK_ON_HE_STACK->%p-%p-%p set
PASS HEHEHE!

In system logs logged by program syslogd, you would notice:
Dec 18 06:23:36 freegobbles perdition[42804]: Connect:
user="GOBBLES_IS_TAKING_A_WALK_ON_HE_STACK->0x8053140-0xbfbffb78-0x2807cc6c" server="(null)" port="110"

Technical details:
The following piece of code from libvanessa_logger/vanessa_logger.c shows
up the vulnerable section of code:

/**********************************************************************
   * vanessa_logger.c September 2000
   * Horms horms@vergenet.net
   *
   * vanessa_logger
   * Generic logging layer
   * Copyright (C) 2000 Horms

    ...

  /**********************************************************************
   * __vanessa_logger_log
   * Internal function to log a message
   * pre: vl: logger to use
   * priority: priority to log with
   * Only used if log type is __vanessa_logger_syslog
   * Ignored otherwise
   * fmt: format for log message
   * ap: varargs for format
   * post: message is logged to appropriate logger
   * vl->ident[pid]: will be prepended to each log
   * '\n' will be appended to each log that doesn't already end with
   * a '\n'
   * Nothing on error
   * return: none
   **********************************************************************/

  #define __VANESSA_LOGGER_DO_FH(_vl, _fmt, _fh, _ap) \
      { \
      int len; \
      if(snprintf( \
        _vl->buffer, \
        _vl->buffer_len-1, \
          "%s[%d]: %s", \
        _vl->ident, \
        getpid(), \
        _fmt \
      )<0){ \
        fprintf(_fh, "__vanessa_logger_log: snprintf: output
truncated\n"); \
        return; \
        } \
      len=strlen(_vl->buffer); \
      if(*((_vl->buffer)+len-1)!='\n'){ \
        *((_vl->buffer)+len)='\n'; \
        *((_vl->buffer)+len+1)='\0'; \
        } \
      vfprintf(_fh, _vl->buffer, _ap); \
    }

   static void __vanessa_logger_log(
    __vanessa_logger_t *vl,
    int priority,
    char *fmt,
    va_list ap
  ){
    
if(vl==NULL||vl->ready==__vanessa_logger_false||priority>vl->max_priority){
      return;
    }

    switch(vl->type){
      case __vanessa_logger_filehandle:
        __VANESSA_LOGGER_DO_FH(vl, fmt, vl->data.d_filehandle, ap);
        break;
      case __vanessa_logger_filename:
        __VANESSA_LOGGER_DO_FH(vl, fmt, vl->data.d_filename->filehandle,
ap);
          break;
      case __vanessa_logger_syslog:
        if(vsnprintf(vl->buffer, vl->buffer_len, fmt, ap)<0){
            syslog(priority, "__vanessa_logger_log: vsnprintf: output
truncated");
          return;
          }
        syslog(priority, vl->buffer);
        break;
        case __vanessa_logger_none:
        break;
    }
  }

A sharp reader would note the bad syslog() usage behavior.

      syslog(priority, vl->buffer);

Workaround:
It is suggested that administrators modify the libvanessa_logger.c to
contain the following:
- syslog(priority, vl->buffer);
+ syslog(priority, "%s", vl->buffer);

ADDITIONAL INFORMATION

The information has been provided by <mailto:GOBBLES@hushmail.com>
GOBBLES Security.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

Relevant Pages