[VulnWatch] zkfingerd 0.9.1 format string vulnerabilities (#NISR16122002A)

From: NGSSoftware Insight Security Research (nisr@nextgenss.com)
Date: 12/16/02

  • Next message: NGSSoftware Insight Security Research: "[VulnWatch] PFinger 0.7.8 format string vulnerability (#NISR16122002B)"
    From: "NGSSoftware Insight Security Research" <nisr@nextgenss.com>
    To: <bugtraq@securityfocus.com>, <vulnwatch@vulnwatch.org>
    Date: Mon, 16 Dec 2002 19:53:29 -0000
    
    

    NGSSoftware Insight Security Research Advisory

    Name: zkfingerd Format String vulnerability
    Systems: zkfingerd version 0.9.1 and earlier
    Severity: High Risk
    Vendor URL: http://sourceforge.net/projects/zkfingerd
    Author: David Litchfield (david@ngssoftware.com)
    Advisory URL: http://www.ngssoftware.com/advisories/zkfingerd.txt
    Date: 16th December 2002
    Advisory number: #NISR16122002A

    Description
    ***********
    zkfingerd is an open-source replacement for standard finger daemons running
    on Linux systems. zkfingerd suffers from several format string
    vulnerabilities that, when exploited, can allow the remote execution of
    arbitrary code.

    Details
    *******
    The first format string vulnerability can be found in the putlog() function
    of log.c. An unsafe call is made to the syslog() function.

    ..
    syslog(LOG_INFO, c);
    ..

    To make this safe a format string should be specified:

    ..
    syslog(LOG_INFO,"%s", c);
    ..

    By fingering a "user" and designing a special format string as the user, it
    is possible to overwrite arbitray locations in memory with values supplied
    by an attacker using the %n specifier. This can lead to arbitrary code
    execution.

    Further format string vulnerabilities, that all have the same root cause,
    are due to the say() function:

    void
    say(char *fmt, ...)
    {
            va_list ap;

            va_start(ap, fmt);
            vprintf(fmt, ap);
            va_end(ap);

            printf("\r\n");
            fflush(stdout);

            return;
    }

    If, when say() is called, the first argument is not a format string but
    input a remote user can control then the vulnerability will manifest itself.
    One such place is in the file_list() function:

    if(S_ISDIR(st.st_mode))
    {
            char *y, *z;
            files++;
            z = xmalloc(strlen(de->d_name) + 2);
            strcpy(z, de->d_name);
            strcat(z, "/");
            x = xmalloc(32 + strlen(de->d_name));
            y = my_ctime(st.st_mtime);
            sprintf(x, "\t%-12s\t%s\t-- DIR --", z, y);
            say(x);
            xfree(x);
            xfree(y);
            xfree(z);
            continue;
    }

    In this case if the name of a directory contains an attacker supplied format
    string then it can overwrite arbitrary locations in memory with attacker
    supplied values.

    Fix Information
    ***************
    NGSSoftware alerted the author of zkfingerd with these problems on the 27th
    of November, 2002. The author responed quickly and made the relevant
    security fixes. Patched source code can be download from CVS @ Sourceforge.

    http://cvs.sourceforge.net/cgi-bin/viewcvs.cgi/zkfingerd/zkfingerd/src/

    A check for this issue has been added to Typhon III, NGSSoftware's advanced
    vulnerability assessment tool, of which, more information is available at
    the NGSSite: http://www.ngssoftware.com/

    For more information about format string vulnerabilities please read

    http://www.nextgenss.com/papers/win32format.doc
    http://julianor.tripod.com/usfs.html

    About NGSSoftware
    *****************
    NGSSoftware design, research and develop intelligent, advanced application
    security assessment scanners. Based in the United Kingdom, NGSSoftware have
    offices in the South of London and the East Coast of Scotland. NGSSoftware's
    sister company NGSConsulting, offers best of breed security consulting
    services, specialising in application, host and network security
    assessments.

    http://www.ngssoftware.com/
    http://www.ngsconsulting.com/

    Telephone +44 208 401 0070
    Fax +44 208 401 0076
    enquiries@ngssoftware.com



    Relevant Pages