Remote multiple vulnerability in apt-www-proxy.

From: dong-h0un U (xploit@hackermail.com)
Date: 12/08/02

Next message: Rob klein Gunnewiek: "proftpd <=1.2.7rc3 DoS"

Previous message: Dorin Balanica: "Input Validation Error in vbulletin 2.2.x"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

From: "dong-h0un U" <xploit@hackermail.com>
To: bugtraq@securityfocus.com
Date: Mon, 09 Dec 2002 04:58:52 +0800

        ========================================
        INetCop Security Advisory #2002-0x82-009
        ========================================

* Title: Remote multiple vulnerability in apt-www-proxy.

0x01. Description

__
bash$ lynx -dump http://ironsides.terrabox.com/~ahzz/apt-www-proxy/

apt-www-proxy

   apt-www-proxy is a proxy server designed specificly for apt-get
   http:// repositories. It gathers files that clients request, and then
   simultaneously retrieves, streams to client, and to local disk archive
   based on a set of archive mappings a lot like apt-proxy does. I
   decided to write this due to the unstable nature of apt-proxy. IMHO
   this is due to it being written in shell script. It's a good design,
   just was never implemented in the right kind of language.

[1]apt-www-proxy 0.1 - accepts clients and automaticly says "not
found". nifty eh? 8-P

And of course, who would be without the [2]latest snapshot!

Back to my [3]homepage!

References

   1. http://ironsides.terrabox.com/~ahzz/apt-www-proxy/apt-www-proxy-0.1.tar.gz
   2. http://ironsides.terrabox.com/~ahzz/apt-www-proxy/latest-AWP.tar.bz2
   3. http://ironsides.terrabox.com/~ahzz/index.html
bash$

--
OK, Let's analyze.
Examine syslog() function first.
There is awp_log() function to 173 lines of 'src/utils.c' code.
    __
   173  void awp_log(int level, const char *message)
        ...
   222    if((level < LOG_DEBUG) || (1 ==  logit))
   224        /* log that information */
   227            syslog(level, message); // Here.
        ...
    --
It's very bad state.
awp_log() function is used as follows.
Format string bug happens by setting file error log.
Let's find awp_log() function in 'apt-www-proxy.c' code.
    __
    47    awp_log(LOG_DATA, errlog);
    78    awp_log(LOG_DATA, errlog);
    93    awp_log(LOG_DATA, errlog);
   130                awp_log(LOG_DATA, errlog);
   146                awp_log(LOG_DATA, errlog);
   157            awp_log(LOG_GEN, errlog);
   287    awp_log(LOG_NOTICE, errlog);
   500        awp_log(LOG_NOTICE,errlog);
   510        awp_log(LOG_CRIT, errlog);
   527            awp_log(LOG_ERR, errlog);
   538    awp_log(LOG_INFO, errlog);
   546        awp_log(LOG_NOTICE, errlog);
   554        awp_log(LOG_NOTICE, errlog);
   560        awp_log(LOG_NOTICE, errlog);
   572        awp_log(LOG_NOTICE, errlog);
    --
Second, examine remote DoS vulnerability.
We read 'utils.c' code again.
    __
   260  int parse_get(struct client * client)
        ...
   268    /* now match against the archives */
   269    if(!strncmp("http://", client->get, 7)) // Here.
   270      {
   271        /* AHHA! It's a full URL. */
    --
If 'client->get' value is NULL, strncmp() function segfault happens crash.
Program function execution structure is as following.
----------------------------------------------------------------------
main()->main_loop()->process_cli()->parse_get()->strncmp()->'segfault'
----------------------------------------------------------------------
0x02. Vulnerable Packages
Vendor site: http://ironsides.terrabox.com/~ahzz/apt-www-proxy/
apt-www-proxy 0.1
-apt-www-proxy-0.1.tar.gz
+Linux
0x03. Exploit
Do you want exploit code? Very regrettable. :-(
We don't want to compose DoS code.
0x04. Patch
=== utils.patch ===
--- utils.c	Mon Oct 22 15:20:29 2001
+++ utils.patch.c	Sat Nov 30 02:26:35 2002
@@ -224,11 +224,11 @@
       /* log that information */
       if(background)
 	{
-	  syslog(level, message);
+	  syslog(level, "%s", message);
 	}
       else
 	{
-	  fprintf(stderr, message);
+	  fprintf(stderr, "%s", message);
 	}
     }
 }
@@ -265,6 +265,10 @@
   struct urlmask *curu = urls;
   int found = 0;
 
+  if(client->get==NULL)
+  {
+      return(0);
+  }
   /* now match against the archives */
   if(!strncmp("http://", client->get, 7))
     {
=== eof ===
P.S: Sorry, for my poor english.
--
By "dong-houn yoU" (Xpl017Elz), in INetCop(c) Security.
MSN & E-mail: szoahc(at)hotmail(dot)com,
              xploit(at)hackermail(dot)com
INetCop Security Home: http://www.inetcop.org (Korean hacking game)
             My World: http://x82.i21c.net
GPG public key: http://wizard.underattack.co.kr/~x82/h0me/pr0file/x82.k3y
--
-- 
_______________________________________________
Get your free email from http://www.hackermail.com
Powered by Outblaze

Next message: Rob klein Gunnewiek: "proftpd <=1.2.7rc3 DoS"
Previous message: Dorin Balanica: "Input Validation Error in vbulletin 2.2.x"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

Remote multiple vulnerability in apt-www-proxy.
... bash$ lynx -dump http://ironsides.terrabox.com/~ahzz/apt-www-proxy/ ... simultaneously retrieves, streams to client, and to local disk archive ... 47 awp_log(LOG_DATA, errlog); ... /* now match against the archives */ ...
(Bugtraq)
Re: Basic Cross Memory questions
... Having the system LX validate the client and set ... (ATSET and ETCON/ETDIS) ... since I need to be in supervisor state anyway for the ATSET. ... the archives at http://bama.ua.edu/archives/ibm-main.html ...
(bit.listserv.ibm-main)
RE: Finally get to go from os390 2.10 to zOS 1.8
... IBM says flat out that OS/390 cannot run on a z9 at all. ... My client brought in Mainline and IBM so that the new system ... send email to listserv@xxxxxxxxxxx with the message: GET IBM-MAIN INFO ... Search the archives at http://bama.ua.edu/archives/ibm-main.html ...
(bit.listserv.ibm-main)
Creating a multi-tier client/server application
... I've searched through the archives here, ... The application definitely needs at least three tiers: client, server, ... I'd also like to use SQLAlchemy, ...
(comp.lang.python)