[UNIX] zkfingerd Format String Vulnerability

From: support@securiteam.com
Date: 12/25/02

Next message: support@securiteam.com: "[NEWS] Multiple Buffer overruns RealNetworks Helix Universal Server"

Previous message: support@securiteam.com: "[NT] Multiple Vulnerabilities in Enceladus Server (cd, dir, mget)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

From: support@securiteam.com
To: list@securiteam.com
Date: 25 Dec 2002 11:23:54 +0200

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

Beyond Security would like to welcome Tiscali World Online
to our service provider team.
For more info on their service offering IP-Secure,
please visit http://www.worldonline.co.za/services/work_ip.asp
- - - - - - - - -

zkfingerd Format String Vulnerability
------------------------------------------------------------------------

SUMMARY

<http://sourceforge.net/projects/zkfingerd> zkfingerd is an open-source
replacement for standard finger daemons running on Linux systems.
zkfingerd suffers from several format string vulnerabilities that, when
exploited, can allow the remote execution of arbitrary code.

DETAILS

Vulnerable systems:
* zkfingerd version 0.9.1 and earlier

The first format string vulnerability can be found in the putlog()
function of log.c. An unsafe call is made to the syslog() function.

.
syslog(LOG_INFO, c);
.

To make this safe a format string should be specified:

.
syslog(LOG_INFO,"%s", c);
.

By fingering a "user" and designing a special format string as the user,
it is possible to overwrite arbitray locations in memory with values
supplied by an attacker using the %n specifier. This can lead to arbitrary
code execution.

Further format string vulnerabilities, that all have the same root cause,
are due to the say() function:

void
say(char *fmt, ...)
{
va_list ap;

        va_start(ap, fmt);
        vprintf(fmt, ap);
        va_end(ap);

printf("\r\n");
fflush(stdout);

return;
}

If, when say() is called, the first argument is not a format string but
input a remote user can control then the vulnerability will manifest
itself. One such place is in the file_list() function:

if(S_ISDIR(st.st_mode))
{
        char *y, *z;
        files++;
        z = xmalloc(strlen(de->d_name) + 2);
        strcpy(z, de->d_name);
        strcat(z, "/");
        x = xmalloc(32 + strlen(de->d_name));
        y = my_ctime(st.st_mtime);
        sprintf(x, "\t%-12s\t%s\t-- DIR --", z, y);
        say(x);
        xfree(x);
        xfree(y);
        xfree(z);
        continue;
}

In this case if the name of a directory contains an attacker supplied
format string then it can overwrite arbitrary locations in memory with
attacker supplied values.

Fix Information:
NGSSoftware alerted the author of zkfingerd with these problems on the
27th of November, 2002. The author responded quickly and made the relevant
security fixes. Patched source code can be download from CVS @
Sourceforge.

<http://cvs.sourceforge.net/cgi-bin/viewcvs.cgi/zkfingerd/zkfingerd/src/>
http://cvs.sourceforge.net/cgi-bin/viewcvs.cgi/zkfingerd/zkfingerd/src/

ADDITIONAL INFORMATION

The original advisory can be downloaded from:
<http://www.nextgenss.com/advisories/zkfingerd.txt>
http://www.nextgenss.com/advisories/zkfingerd.txt.

The information has been provided by <mailto:nisr@nextgenss.com>
NGSSoftware Insight Security Research.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

Next message: support@securiteam.com: "[NEWS] Multiple Buffer overruns RealNetworks Helix Universal Server"
Previous message: support@securiteam.com: "[NT] Multiple Vulnerabilities in Enceladus Server (cd, dir, mget)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

[UNIX] Sun AnswerBook 2 Format String and Other Vulnerabilities
... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... suffers from a format string vulnerability. ... server is vulnerable to the format string attack. ... HTTP GET overflow allows code execution ...
(Securiteam)
[UNIX] Berkeley pmake Security Vulnerability
... Berkeley pmake Security Vulnerability ... There is a format string bug in the Berkeley's pmake 2.1.33 and below ... If the user puts a shell definition into the Makefile, ... static char eb; ...
(Securiteam)
[Full-disclosure] [ GLSA 200708-16 ] Qt: Multiple format string vulnerabilities
... Format string vulnerabilities in Qt 3 may lead to the remote execution ... of arbitrary code in some Qt applications. ... Tim Brown of Portcullis Computer Security Ltd and Dirk Mueller of KDE ...
(Full-Disclosure)
[ GLSA 200708-16 ] Qt: Multiple format string vulnerabilities
... Format string vulnerabilities in Qt 3 may lead to the remote execution ... of arbitrary code in some Qt applications. ... Tim Brown of Portcullis Computer Security Ltd and Dirk Mueller of KDE ...
(Bugtraq)
[Full-disclosure] [ GLSA 200606-03 ] Dia: Format string vulnerabilities
... Title: Dia: Format string vulnerabilities ... Security is a primary focus of Gentoo Linux and ensuring the ...
(Full-Disclosure)