[VulnWatch] tcpflow 0.2.0 Format String Vulnerability

From: _at_stake Advisories (_at_stake)
Date: 08/07/03

  • Next message: Ferruh Mavituna: "[VulnWatch] VBulletin New Member XSS Vulnerability" 
    Date: Thu, 07 Aug 2003 16:50:40 -0400
To: vulnwatch@vulnwatch.org

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

                                    @stake, Inc.
                                  www.atstake.com

                                 Security Advisory

    Advisory Name: tcpflow 0.2.0 Format String Vulnerability
     Release Date: 08/07/2003
      Application: tcpflow
         Platform: UNIX
         Severity: High or None (See Below)
           Author: Dave G. <daveg@atstake.com>
    Vendor Status: Vendor has fixed version
    CVE Candidate: CAN-2003-0671
        Reference: www.atstake.com/research/advisories/2003/a080703-2.txt

    Overview:

    tcpflow is a network monitoring tool that records TCP sessions in an
    easy to use and view manner. This tool contains a format string
    vulnerability that is typically unexploitable. However, there has
    been at least a couple of network management tools (IPNetMonitorX and
    IPNetSentryX) that allowed for this vulnerability to be successfully
    exploited.

    - - -IMPORTANT NOTE-

    This advisory is being released to inform other developers that may
    rely on this tool, and to serve as an addendum to the @stake advisory
    entitled: "Sustworks Unauthorized Network Monitoring and tcpflow
    Format String Attack."

           
    Details:

    tcpflow contains an exploitable format string vulnerability during
    the opening of a device via libpcap. This code snippet is from the
    current version of tcpflow:

    - - From tcpflow:main.c
    - - -------------------
        /* make sure we can open the device */
        if ((pd = pcap_open_live(device, SNAPLEN, !no_promisc, 1000,
           error)) == NULL)
          die(error);

        /* drop root privileges - we don't need them any more */
        setuid(getuid());

    As we can see, if the call to pcap_open_live() fails, the error
    message will be passed to an error handling and cleanup function
    called die(). This happens just before privileges are dropped by the
    application. Looking at the code snippets below, we can see that
    this error message will get passed as the format string to the
    vfprintf() call inside of print_debug_message(). Since the device
    name is included as part of the libpcap error, and device is
    specified by the user, an attacker can input format specifiers into
    vfprintf().

    - - From tcpflow:util.c
    - - ------------------- void die(char *fmt, ...)
    {
      va_list ap;

      va_start(ap, fmt);
      print_debug_message(fmt, ap);
      exit(1);
    }

    /*
     * Print a debugging message, given a va_list
     */
    void print_debug_message(char *fmt, va_list ap)
    {
      /* print debug prefix */
      fprintf(stderr, "%s: ", debug_prefix);

      /* print the var-arg buffer passed to us */
      vfprintf(stderr, fmt, ap);

      /* add newline */
      fprintf(stderr, "\n");
      (void) fflush(stderr);
    }

    To test if your version of tcpflow is vulnerable, simply execute
    tcpflow as root with the command line argument of -i %x%x%x%x%x%x.
    If the tcpflow error message contains a large hexadecimal string,
    your version is vulnerable.

    For example:

    bash-2.05a$ sudo bash
    bash-2.05a# tcpflow -i %x%x%x%x%x%x
    tcpflow[1195]: BIOCSETIF: 1a45017646365206e1a010365c: Device not
     configured

     
    Vendor Response:

    There is an updated version of tcpflow available from
    http://www.circlemud.org/~jelson/software/tcpflow.

    Recommendation:

    Upgrade tcpflow and ensure that it is not setuid root.

    Common Vulnerabilities and Exposures (CVE) Information:

    The Common Vulnerabilities and Exposures (CVE) project has assigned
    the following names to these issues. These are candidates for
    inclusion in the CVE list (http://cve.mitre.org), which standardizes
    names for security problems.

      CAN-2003-0671 tcpflow format string vulnerability through
                    RunTCPFlow

    @stake Vulnerability Reporting Policy:
    http://www.atstake.com/research/policy/

    @stake Advisory Archive:
    http://www.atstake.com/research/advisories/

    PGP Key:
    http://www.atstake.com/research/pgp_key.asc

    @stake is currently seeking application security experts to fill
    several consulting positions. Applicants should have strong
    application development skills and be able to perform application
    security design reviews, code reviews, and application penetration
    testing. Please send resumes to jobs@atstake.com.

    Copyright 2003 @stake, Inc. All rights reserved.

    -----BEGIN PGP SIGNATURE-----
    Version: PGP 8.0

    iQA/AwUBPzK7SEe9kNIfAm4yEQLIQgCg2FsuanlbSV/45hkgxBOE8GvKOlsAoKQt
    TgybHf+i2Zo041zjMRMEOZCx
    =B4H2
    -----END PGP SIGNATURE-----

  • Next message: Ferruh Mavituna: "[VulnWatch] VBulletin New Member XSS Vulnerability"