[UNIX] SNMPPd Format String Vulnerability

• Previous message: SecuriTeam: "[UNIX] Canonicalization and Directory Traversal in iSeries FTP Security Products"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: list@securiteam.com
Date: 25 Apr 2005 18:02:41 +0200

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -

  SNMPPd Format String Vulnerability
------------------------------------------------------------------------

SUMMARY

 <http://slava.local.nsys.by/projects/snmppd/> snmppd is "an SNMP proxy
daemon that is designed to work with Nagios. It loads MIBs upon startup,
listens on a TCP socket for SNMP GET requests, polls the specified host,
and returns the value to caller process. The caller process is usually the
Nagios plugin check_snmpp".

A format string vulnerability has been discovered in SNMP Proxy daemon,
allowing a remote attacker to cause the program to execute arbitrary code.

DETAILS

Vulnerable Systems:
 * snmppd version 0.4.5 and prior

Vulnerable code:
The following code can be found in the file
/snmppd-0.4.5/snmppd/snmppd_util.c:
    --
        ...
    23 void snmppd_log(int level, char *fmt, va_list args)
    24 {
    25 char buffer[2048];
    26 vsnprintf(buffer, 2048, fmt, args);
    27 if (config.debug || config.nofork) {
        ...
    38 } else {
    39 if (level >= LOG_INFO) {
    40 syslog(level, buffer);
    41 }
    42 }
    43 }
        ...
    45 void log_error(char *fmt, ...)
    46 {
        ...
    50 snmppd_log(LOG_ERR, fmt, args);
        ...
    52 }
    53
    54 void log_info(char *fmt, ...)
    55 {
        ...
    59 snmppd_log(LOG_INFO, fmt, args);
        ...
    61 }
    62
    63 void log_debug(char *fmt, ...)
    64 {
        ...
    69 snmppd_log(LOG_DEBUG, fmt, args);
        ...
    72 }
    --

As can be seen the syslog() function is called without a constant format
string, further the format string is the user provided data, allowing an
attacker to cause the program to execute arbitrary code.

Patch:
snmppd 0.4.5 patch:

 === snmppd-0.4.5.patch ===
--- snmppd_util.c Thu Jul 11 18:52:34 2002
+++ patch/snmppd_util.c Sat Mar 5 23:54:54 2005
@@ -37,7 +37,7 @@
        fputc('\n', stdout);
     } else {
        if (level >= LOG_INFO) {
- syslog(level, buffer);
+ syslog(level, "%s", buffer);
        }
     }
 }

ADDITIONAL INFORMATION

The information has been provided by <mailto:xploit@hackermail.com>
dong-hun you.
The original article can be found at: <http://www.inetcop.net>
http://www.inetcop.net

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

• Previous message: SecuriTeam: "[UNIX] Canonicalization and Directory Traversal in iSeries FTP Security Products"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]