[UNIX] Bypassing Libsafe Format String Protection

From: support@securiteam.com
Date: 03/23/02 

From: support@securiteam.com
To: list@securiteam.com
Date: Sat, 23 Mar 2002 18:53:30 +0100 (CET)

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -

  Bypassing Libsafe Format String Protection
------------------------------------------------------------------------

SUMMARY

 <http://www.research.avayalabs.com/project/libsafe/> Libsafe provides
ineffective protection against format string exploit attacks that may be
trivially bypassed.

DETAILS

Vulnerable systems:
Libsafe version up to 2.0-11

Immune systems:
Libsafe version 2.0-12 and above

The Libsafe library protects a process against the exploitation of buffer
overflow vulnerabilities in process stacks. Libsafe works with any
existing pre-compiled executable and can be used transparently, even on a
system-wide basis. The method intercepts all calls to library functions
that are known to be vulnerable. A substitute version of the corresponding
function implements the original functionality, but in a manner that
ensures that any buffer overflows are contained within the current stack
frame. Libsafe has been shown to detect several known attacks and can
potentially prevent yet unknown attacks.

Details:
1. Libsafe protection against format string exploits may be easily
bypassed using flag characters that are implemented in glibc but are not
implemented in Libsafe.

These flags defined in SUSv2 are not defined in C standard (quoting from
printf(3) manpage):

       ' For decimal conversion (i, d, u, f, F, g, G) the
              output is to be grouped with thousands' grouping
              characters if the locale information indicates any.
              Note that many versions of gcc cannot parse this
              option and will issue a warning. SUSv2 does not
              include %'F.

       I For decimal integer conversion (i, d, u) the output
              uses the locale's alternative output digits, if any
              (for example, Arabic digits). However, it does not
              include any locale definitions with such outdigits
              defined. (glibc 2.2 only)

Example exploit:
printf("%'n", &target);
printf("%In", &target);

2. Libsafe *printf function wrappers incorrectly parse argument indexing
in format strings. They always assume that the n-th conversion
specification uses n-th argument and does not properly count real number
of arguments used. Thus, arguments, whose index numbers are above the
total number of conversion specifications, are not verified at all.

Example exploit:
printf("%2$n", "unused argument", &target);

Total number of % format string used: 1 ("%2$n")
Number of argument used: 2

Fix:
On March 18, 2002 new version of Libsafe 2.0-12 has been released fixing
above security issue.

ADDITIONAL INFORMATION

The information has been provided by <mailto:cliph@isec.pl> Wojciech
Purczynski.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

Relevant Pages