[UNIX] Neon Format String Vulnerabilities

From: SecuriTeam (support_at_securiteam.com)
Date: 04/18/04

  • Next message: SecuriTeam: "[NEWS] RealNetworks Helix Universal Server DoS (GET_PARAMETER, DESCRIBE)"
    To: list@securiteam.com
    Date: 18 Apr 2004 14:02:26 +0200
    
    

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    The SecuriTeam alerts list - Free, Accurate, Independent.

    Get your security news from a reliable source.
    http://www.securiteam.com/mailinglist.html

    - - - - - - - - -

      Neon Format String Vulnerabilities
    ------------------------------------------------------------------------

    SUMMARY

    void.at has discovered a format string vulnerability in
    <http://www.webdav.org/neon> neon. neon is "a WebDAV client library, used
    by Subversion and others". A malicious WebDAV server sending a specially
    crafted WebDAV response can exploit the vulnerability.

    DETAILS

    Vulnerable Systems:
     * neon version 0.24.4 and prior

    Immune Systems:
     * neon version 0.24.5 and newer

    One particular bug is that if the response of the web server doesn't start
    with "HTTP", it is considered invalid and will be logged via ne_set_error.
    You can supply %08x%08x etc there and it will be executed by a libc format
    function.

    webdav-requests always start with PROPFIND:

    Request:
    PROPFIND /lenya/blog/authoring/entries/2003/08/24/peanuts/ HTTP/1.1
    Pragma: no-cache
    Cache-control: no-cache
    Accept: text/*, image/jpeg, image/png, image/*, */*
    Accept-Encoding: x-gzip, gzip, identity
    Accept-Charset: iso-8859-1, utf-8;q=0.5, *;q=0.5
    Accept-Language: en
    Host: 127.0.0.1
    Depth: 0

    Response:
    HTTP/1.1 207 Multi-Status
    X-Cocoon-Version: 2.1
    Set-Cookie: JSESSIONID=320E3B1395B867B5BC42B5FC93457C36; Path=/lenya
    Content-Type: text/xml
    Transfer-Encoding: chunked
    Date: Mon, 25 Aug 2003 14:27:12 GMT
    Server: Apache Coyote/1.0

    <?xml version="1.0" encoding="UTF-8"?>
    <D:multistatus xmlns:D="DAV:">

    <D:response xmlns:lp1="DAV:" xmlns:lp2="http://apache.org/dav/props/">
    <D:href>/lenya/blog/authoring/entries/2003/08/24/peanuts/</D:href>
    <D:propstat>
    <D:prop>
    <lp1:resourcetype><D:collection/></lp1:resourcetype>
    <D:getcontenttype>httpd/unix-directory</D:getcontenttype>
    </D:prop>
    <D:status>HTTP/1.1 200 OK</D:status>
    </D:propstat>
    </D:response>

    </D:multistatus>

    The formatstring bug can be triggered with a response like:
    ..
    <D:status>%08x%08x</D:stat>

    Impact:
    Middle. Man-in-the-middle-attack or fake server needed. Note that all
    clients using this library (such as Subversion) are affected.

    Solution:
    neon 0.24.5 fixes the described problem. You can get it from
    <http://www.webdav.org/neon/neon-0.24.5.tar.gz>
    http://www.webdav.org/neon/neon-0.24.5.tar.gz.

    Discovery Timeline:
    2004-03-10: Bug discovered
    2004-03-15: Contacted jorton@redhat.com (maintainer)
    2004-03-16: Maintainer confirmation
    2004-04-14: Maintainer released fixed version 0.24.5
    2004-04-16: Public disclosure

    ADDITIONAL INFORMATION

    The information has been provided by <mailto:greuff@void.at> Thomas Wana.

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.


  • Next message: SecuriTeam: "[NEWS] RealNetworks Helix Universal Server DoS (GET_PARAMETER, DESCRIBE)"

    Relevant Pages

    • [NT] Microsoft IIS WebDAV (XML Parser) Attribute Blowup DoS
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... send a specially crafted WebDAV request to a server that is running IIS ... * Microsoft Windows NT Server 4.0 Service Pack 6 ...
      (Securiteam)
    • [UNIX] Libneon Date Parsing Vulnerability
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... neon is "an HTTP and WebDAV client library, ... A vulnerability within a libneon date parsing ... depending on the application using libneon. ...
      (Securiteam)
    • [NT] Cross Application Scripting in Trend Micros Antivirus Software
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... The SecuriTeam alerts list - Free, Accurate, Independent. ... When the product alerts the user of a possible virus, it creates an HTML ...
      (Securiteam)
    • [NT] Microsoft Windows NTFS Improper Handler Closing
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... from a system shutdown, uninitialized data may be visible in files from ...
      (Securiteam)
    • [NEWS] Gecko Engine Multiple Vendor DoS (History.dat)
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Basically firefox logs all kinda of URL data in it's history.dat file, ... it will instantly crash due to a buffer overflow -- this will ...
      (Securiteam)