Re: [CERT-intexxia] libgtop_daemon Remote Format String Vulnerability

From: Flavio Veloso (flaviovs@magnux.com)
Date: 11/28/01 

Date: Wed, 28 Nov 2001 08:52:27 -0200 (BRST)
From: Flavio Veloso <flaviovs@magnux.com>
To: BUGTRAQ Mailing List <bugtraq@securityfocus.com>
Subject: Re: [CERT-intexxia] libgtop_daemon Remote Format String Vulnerability
Message-ID: <Pine.LNX.4.33.0111280819050.22063-100000@ops.magnux.com>

On Tue, 27 Nov 2001, Benoît Roussel wrote:

> ________________________________________________________________________
> SECURITY ADVISORY INTEXXIA(c)
> 27 11 2001 ID #1048-261101
> ________________________________________________________________________
> TITLE : libgtop_daemon Remote Format String Vulnerability
> CREDITS : Guillaume Pelat / INTEXXIA
> ________________________________________________________________________
>
>
> SYSTEM AFFECTED
> ===============
>
> libgtop_daemon <= 1.0.12

When investigating this issue I noticed another big security hole in
the daemon. It's a buffer overflow in the same permitted() function,
which may allow the client to execute code on the server. Here's the
code:

permitted (u_long host_addr, int fd)
{
(...)
    char buf[1024];
    int auth_data_len;
(...)
        if (timed_read (fd, buf, 10, AUTH_TIMEOUT, 1) <= 0)
            return FALSE;

        auth_data_len = atoi (buf);

        if (timed_read (fd, buf, auth_data_len, AUTH_TIMEOUT, 0) != auth_data_le
n)
            return FALSE;

Here you can see the bug in action:

$ perl -e 'print "MAGIC-1\0\0\0\0\0\0\0\0". "2000\0\0\0\0\0\0". ("A"x2000)' | \
   nc localhost 42800

The GNOME folks and vendors were already notified. Since this bug is
too obvious to a casual reviewer of the flaw reported by INTEXXIA, and
since a patch is also available (see below), we are treating it as
already disclosed.

Here goes the patch. It should be applied against 1.0.13 (released on
2001-11-27). Notice that this new version _already_ fixed the format
bug, but _not_ the buffer overflow. You should apply the patch or wait
for 1.0.14.

diff -Nru libgtop-1.0.13.orig/src/daemon/gnuserv.c libgtop-1.0.13/src/daemon/gnuserv.c
--- libgtop-1.0.13.orig/src/daemon/gnuserv.c Mon Nov 26 20:37:59 2001
+++ libgtop-1.0.13/src/daemon/gnuserv.c Tue Nov 27 09:16:16 2001
@@ -200,6 +200,12 @@

         auth_data_len = atoi (buf);

+ if (auth_data_len < 1 || auth_data_len > sizeof(buf)) {
+ syslog_message(LOG_WARNING,
+ "Invalid data length supplied by client");
+ return FALSE;
+ }
+
         if (timed_read (fd, buf, auth_data_len, AUTH_TIMEOUT, 0) != auth_data_len)
             return FALSE; 

-- 
Flávio