[CERT-intexxia] Auto Nice Daemon Format String Vulnerability

From: Benoît Roussel (benoit.roussel@intexxia.com)
Date: 11/26/01 

Message-ID: <010601c17649$5b0d4110$403e010a@lab.intexxia.com>
From: Benoît Roussel <benoit.roussel@intexxia.com>
To: <bugtraq@securityfocus.com>
Subject: [CERT-intexxia] Auto Nice Daemon Format String Vulnerability
Date: Mon, 26 Nov 2001 08:09:57 +0100

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

________________________________________________________________________
SECURITY ADVISORY INTEXXIA(c)
26 11 2001 ID #1047-231101
________________________________________________________________________
TITLE : Auto Nice Daemon Format String Vulnerability
CREDITS : Guillaume Pelat / INTEXXIA
________________________________________________________________________

SYSTEM AFFECTED
===============

        AND <= 1.0.4

________________________________________________________________________

DESCRIPTION
===========

       Auto Nice Daemon is vulnerable to a format string bug that can be
exploited by a local user to gain higher privileges.

________________________________________________________________________

DETAILS
=======

        AND (Auto Nice Daemon, http://and.sourceforge.net/) is a daemon
which allows to automatically change a user process if it uses too much
CPU time. It can also kill the process if it goes beyond a defined
level.

AND is vulnerable to a format string bug. A local user can exploit this
issue to gain higher privileges on the local system. He only need to run
a process with a name containing a format string, like '%n%n%n%n'.

The problem occurs when the program calls the syslog(3) function with
the process name as second parameter. As a user can create a process
named as he wants, it is easy to exploit this vulnerability.

Complete exploitation of this vulnerability can conduct to a privilege
escalation on the system. As the AND process runs as 'root', a local
user could execute arbitrary code with the 'root' privileges.

________________________________________________________________________

PROOF OF CONCEPT
================

        It is simple to create a program using a lot of the CPU time
with a special name to exploit this bug :

  % cat foo.c
  int main()
  {
      while (1);
          return 0;
  }
  % gcc foo.c -o %n%n%n%n
  % ./%n%n%n%n

This causes a segmentation fault in the AND daemon.

________________________________________________________________________

SOLUTION
========

        There is an official solution right now. It can be found on the
following web site. Update AND to the version 1.0.5 :

http://and.sourceforge.net

You can also apply the following patch which fixes the vulnerability :

  diff -dru and-1.0.4/and.c and-1.0.4-patched/and.c
  --- and-1.0.4/and.c Sat Jul 7 21:43:15 2001
  +++ and-1.0.4-patched/and.c Fri Nov 23 11:50:27 2001
  @@ -218,7 +218,7 @@
         fflush(out);
       } else {
         /* write to syslog if in full operations */
  - syslog(LOG_WARNING,buffer);
  + syslog(LOG_WARNING, "%s", buffer);
       }
     }
     va_end(args);

________________________________________________________________________

VENDOR STATUS
=============

        23-11-2001 : This bulletin was sent to AND developpers team.
        23-11-2001 : Answer from AND developpers team with a fix.

________________________________________________________________________

CONTACT
=======

Laboratory intexxia cert@intexxia.com

INTEXXIA Standard : +33 1 55 69 49 10
171, av. Georges Clemenceau Fax : +33 1 55 69 78 80
92024 Nanterre Cedex
France

(c) Intexxia 2001, any copy of this file even partial is subject to a
preliminary agreement of Intexxia.

The opinions expressed in this file are not necessarily the opinion of
all Intexxia staff members.

-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 7.0.3 for non-commercial use <http://www.pgp.com>

iQA/AwUBPAHqwk2N8BNyNDXLEQKf5gCfSb0109mCHTxulBKk9y+zG8XPTWUAnjo7
rcq5WXem5PEt6YbBPEyqQNyk
=ncTa
-----END PGP SIGNATURE-----

Relevant Pages