[UNIX] Format String Bug in Posadis DNS Server
From: support@securiteam.comDate: 03/28/02
- Previous message: support@securiteam.com: "[NEWS] RCA Cable Modem Contains Multiple Vulnerabilities"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: support@securiteam.com To: list@securiteam.com Date: Thu, 28 Mar 2002 13:14:31 +0100 (CET)
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -
Format String Bug in Posadis DNS Server
------------------------------------------------------------------------
SUMMARY
<http://sourceforge.net/projects/posadis/> Posadis DNS server is a simple
DNS server designed for Win32 and Linux, which will support administration
through a web interface. The log_print function is badly written allowing
an attacker to cause a format string vulnerability in the product,
allowing remote command execution.
DETAILS
Vulnerable systems:
Posadis DNS Server version m5pre1
Vulnerable code:
void log_print(message_log_level log_level, char *logmsg, ...) {
char buff[4096];
long tsecs;
struct tm *tstruct;
va_list args;
/* compile buffer */
tsecs = time(NULL);
tstruct = localtime(&tsecs);
sprintf(buff, "%04d/%02d/%02d %02d:%02d|", tstruct->tm_year +
1900, tstruct->tm_mon + 1, tstruct->tm_mday, tstruct->tm_hour,
tstruct->tm_min);
switch (log_level) {
case LOG_LEVEL_INFO: strcat(buff, "INFO: "); break;
case LOG_LEVEL_WARNING: strcat(buff, "WARNING: "); break;
case LOG_LEVEL_ERROR: strcat(buff, "ERROR: "); break;
case LOG_LEVEL_PANIC: strcat(buff, "PANIC: "); break;
}
va_start(args, logmsg);
vsprintf(&buff[strlen(buff)], logmsg, args);
va_end(args);
strcat(buff, "\n");
/* and print it to various targets */
if (!no_stdout_log) printf(buff); <-- heh
if (logfile) fprintf(logfile, buff); <-- heh
#ifdef _WIN32
w32dlg_add_log_item(buff);
#endif
#ifdef HAVE_SYSLOG_H
syslog(log_level, "%s", strchr(buff, '|') + 1);
#endif
}
If you direct your attention to the two lines of code with the arrows, you
will notice the obvious format string violation.
Throughout the code, its obvious that the authors put great effort into
making sure there were no format string violations in the actual calling
of log_print()... no user supplied data passed as the format string.
Unfortunately, the user-supplied data only needs to be passed normally to
take advantage.
Example:
Here are a few examples of some quick local tests.
[kkr@eightball src]$ ./posadis %s%s%s%s
Segmentation fault (core dumped)
[kkr@eightball src]$ ./posadis %08x
2002/03/27 01:53|PANIC: Unrecognized option: 4016814c
--begin posadis.conf
%08x
--end posadis.conf
[kkr@eightball src]$ ./posadis
2002/03/27 01:59|ERROR: posadis.conf:1: Unknown command 4016814c!
2002/03/27 01:59|PANIC: Loading posadis.conf failed!
ADDITIONAL INFORMATION
The information has been provided by <mailto:kkr@dekode.org> kkr.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: support@securiteam.com: "[NEWS] RCA Cable Modem Contains Multiple Vulnerabilities"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
