Home page logo
/

bugtraq logo Bugtraq mailing list archives

[CERT-intexxia] Auto Nice Daemon Format String Vulnerability
From: Benoît Roussel <benoit.roussel () intexxia com>
Date: Mon, 26 Nov 2001 08:09:57 +0100

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

________________________________________________________________________
SECURITY ADVISORY                                            INTEXXIA(c)
26 11 2001                                               ID #1047-231101
________________________________________________________________________
TITLE   : Auto Nice Daemon Format String Vulnerability
CREDITS : Guillaume Pelat / INTEXXIA
________________________________________________________________________


SYSTEM AFFECTED
===============

        AND <= 1.0.4


________________________________________________________________________


DESCRIPTION
===========

       Auto Nice Daemon is vulnerable to a format string bug that can be
exploited by a local user to gain higher privileges.


________________________________________________________________________


DETAILS
=======

        AND (Auto Nice Daemon,  http://and.sourceforge.net/) is a daemon
which allows to automatically change a  user process if it uses too much
CPU time.  It can  also kill  the process  if it  goes beyond  a defined
level.

AND is vulnerable to a format  string bug. A local user can exploit this
issue to gain higher privileges on the local system. He only need to run
a process with a name containing a format string, like '%n%n%n%n'.

The problem  occurs when  the program  calls the syslog(3) function with
the process  name as  second parameter.  As a  user can create a process
named as he wants, it is easy to exploit this vulnerability.

Complete exploitation of  this vulnerability  can conduct to a privilege
escalation on the system. As the AND process runs as 'root', a local
user could execute arbitrary code with the 'root' privileges.


________________________________________________________________________


PROOF OF CONCEPT
================

        It is  simple to  create a program  using a lot  of the CPU time
with a special name to exploit this bug :

  % cat foo.c
  int main()
  {
      while (1);
          return 0;
  }
  % gcc foo.c -o %n%n%n%n
  % ./%n%n%n%n

This causes a segmentation fault in the AND daemon.


________________________________________________________________________


SOLUTION
========

        There is an official  solution right now. It can be found on the
following web site. Update AND to the version 1.0.5 :

http://and.sourceforge.net


You can also apply the following patch which fixes the vulnerability :

  diff -dru and-1.0.4/and.c and-1.0.4-patched/and.c
  --- and-1.0.4/and.c     Sat Jul  7 21:43:15 2001
  +++ and-1.0.4-patched/and.c     Fri Nov 23 11:50:27 2001
  @@ -218,7 +218,7 @@
         fflush(out);
       } else {
         /* write to syslog if in full operations */
  -      syslog(LOG_WARNING,buffer);
  +      syslog(LOG_WARNING, "%s", buffer);
       }
     }
     va_end(args);


________________________________________________________________________


VENDOR STATUS
=============

        23-11-2001 : This bulletin was sent to AND developpers team.
        23-11-2001 : Answer from AND developpers team with a fix.



________________________________________________________________________


CONTACT
=======

Laboratory intexxia                                    cert () intexxia com

INTEXXIA                                    Standard : +33 1 55 69 49 10
171, av. Georges Clemenceau                      Fax : +33 1 55 69 78 80
92024 Nanterre Cedex
France

(c) Intexxia 2001, any  copy of  this file  even partial is subject to a
preliminary agreement of Intexxia.

The opinions expressed  in this file are  not necessarily the opinion of
all Intexxia staff members.

-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 7.0.3 for non-commercial use <http://www.pgp.com>

iQA/AwUBPAHqwk2N8BNyNDXLEQKf5gCfSb0109mCHTxulBKk9y+zG8XPTWUAnjo7
rcq5WXem5PEt6YbBPEyqQNyk
=ncTa
-----END PGP SIGNATURE-----



  By Date           By Thread  

Current thread:
  • [CERT-intexxia] Auto Nice Daemon Format String Vulnerability Benoît Roussel (Nov 27)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault