[UNIX] Neon Format String Vulnerabilities

From: SecuriTeam (support_at_securiteam.com)
Date: 04/18/04

  • Next message: SecuriTeam: "[NEWS] RealNetworks Helix Universal Server DoS (GET_PARAMETER, DESCRIBE)"
    To: list@securiteam.com
    Date: 18 Apr 2004 14:02:26 +0200

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    The SecuriTeam alerts list - Free, Accurate, Independent.

    Get your security news from a reliable source.

    - - - - - - - - -

      Neon Format String Vulnerabilities


    void.at has discovered a format string vulnerability in
    <http://www.webdav.org/neon> neon. neon is "a WebDAV client library, used
    by Subversion and others". A malicious WebDAV server sending a specially
    crafted WebDAV response can exploit the vulnerability.


    Vulnerable Systems:
     * neon version 0.24.4 and prior

    Immune Systems:
     * neon version 0.24.5 and newer

    One particular bug is that if the response of the web server doesn't start
    with "HTTP", it is considered invalid and will be logged via ne_set_error.
    You can supply %08x%08x etc there and it will be executed by a libc format

    webdav-requests always start with PROPFIND:

    PROPFIND /lenya/blog/authoring/entries/2003/08/24/peanuts/ HTTP/1.1
    Pragma: no-cache
    Cache-control: no-cache
    Accept: text/*, image/jpeg, image/png, image/*, */*
    Accept-Encoding: x-gzip, gzip, identity
    Accept-Charset: iso-8859-1, utf-8;q=0.5, *;q=0.5
    Accept-Language: en
    Depth: 0

    HTTP/1.1 207 Multi-Status
    X-Cocoon-Version: 2.1
    Set-Cookie: JSESSIONID=320E3B1395B867B5BC42B5FC93457C36; Path=/lenya
    Content-Type: text/xml
    Transfer-Encoding: chunked
    Date: Mon, 25 Aug 2003 14:27:12 GMT
    Server: Apache Coyote/1.0

    <?xml version="1.0" encoding="UTF-8"?>
    <D:multistatus xmlns:D="DAV:">

    <D:response xmlns:lp1="DAV:" xmlns:lp2="http://apache.org/dav/props/">
    <D:status>HTTP/1.1 200 OK</D:status>


    The formatstring bug can be triggered with a response like:

    Middle. Man-in-the-middle-attack or fake server needed. Note that all
    clients using this library (such as Subversion) are affected.

    neon 0.24.5 fixes the described problem. You can get it from

    Discovery Timeline:
    2004-03-10: Bug discovered
    2004-03-15: Contacted jorton@redhat.com (maintainer)
    2004-03-16: Maintainer confirmation
    2004-04-14: Maintainer released fixed version 0.24.5
    2004-04-16: Public disclosure


    The information has been provided by <mailto:greuff@void.at> Thomas Wana.


    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com


    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

  • Next message: SecuriTeam: "[NEWS] RealNetworks Helix Universal Server DoS (GET_PARAMETER, DESCRIBE)"