Home page logo
/

bugtraq logo Bugtraq mailing list archives

[CERT-intexxia] libgtop_daemon Remote Format String Vulnerability
From: Benoît Roussel <benoit.roussel () intexxia com>
Date: Tue, 27 Nov 2001 08:07:48 +0100

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

________________________________________________________________________
SECURITY ADVISORY                                            INTEXXIA(c)
27 11 2001                                               ID #1048-261101
________________________________________________________________________
TITLE   : libgtop_daemon Remote Format String Vulnerability
CREDITS : Guillaume Pelat / INTEXXIA
________________________________________________________________________


SYSTEM AFFECTED
===============

        libgtop_daemon <= 1.0.12


________________________________________________________________________


DESCRIPTION
===========

        The Laboratory intexxia found a remote exploitable format string
vulnerability in  libgtop_daemon which could cause  privilege escalation
on a remote system.


________________________________________________________________________


DETAILS
=======

        libgtop_daemon is a GNOME daemon used to monitor process running
on a remote system.

        The Laboratory  intexxia  just  found  a  remote  format  string
vulnerability in this daemon. The 2 functions named syslog_message() and
syslog_io_message() are called with a format string which is initialized
by the client.

        By sending a specially  crafted format string  to the server, it
is possible  for a  remote attacker  to execute  arbitrary code  on  the
remote  system  with  the  daemon  permissions. This vulnerability could
cause privilege escalation.

        The permitted() function, that verifies if  the client trying to
to connect is authorized to, is concerned by this flaw.

        The libgtop_daemon daemon is  launched with 'nobody' permissions
by default. Complete  exploitation of this  vulnerability will permit an
attacker to execute code  with the  'nobody' permissions.  But this flaw
could be used to compromize  the local system by  exploiting other local
vulnerabilities.


________________________________________________________________________


PROOF OF CONCEPT
================

        Here is a proof of concept to show where the problem occurs :

Client side :
~ % telnet 127.0.0.1 42800
Trying 127.0.0.1...
Connected to 127.0.0.1.
Escape character is '^]'.
%p%p
Connection closed by foreign host.
~ % telnet 127.0.0.1 42800
Trying 127.0.0.1...
Connected to 127.0.0.1.
Escape character is '^]'.
%n%n
Connection closed by foreign host.

Server side :
~/# libgtop_daemon -f
' from clientn[3877]: Invalid authentication protocol
'0xbffff46c0x804b2ae
libgtop-daemon[3877]: Refused connection from 127.0.0.1.
Segmentation fault


________________________________________________________________________


WORKAROUND
==========

        Although there is an official solution, here is the way to patch
the  sources to  resolve this  problem. The  file 'src/daemon/gnuserv.c'
must be modified :

In function syslog_message(), replace :
  syslog (priority, buffer);
by :
  syslog (priority, "%s", buffer);

And in function syslog_io_message(), replace :
  syslog (priority, buffer2);
by :
  syslog (priority, "%s", buffer2);


The Laboratory intexxia  developped the following  patch to correct this
vulnerability. However,  the simplest  and  probably  the  best  way  to
resolve this  issue is to  install the new  version at the above link in
the solution section :

  diff -dru libgtop-1.0.12/src/daemon/gnuserv.c
  libgtop-1.0.12-patched/src/daemon/gnuserv.c
  --- libgtop-1.0.12/src/daemon/gnuserv.c Mon Nov 26 13:48:14 2001
  +++ libgtop-1.0.12-patched/src/daemon/gnuserv.c Mon Nov 26 13:49:26 2001
  @@ -93,7 +93,7 @@
       vsnprintf (buffer, BUFSIZ-1, format, ap);
       va_end (ap);

  -    syslog (priority, buffer);
  +    syslog (priority, "%s", buffer);
   }
 
   void
  @@ -108,7 +108,7 @@
       va_end (ap);

       snprintf (buffer2, BUFSIZ-1, "%s: %s", buffer, strerror (errno));
  -    syslog (priority, buffer2);
  +    syslog (priority, "%s", buffer2);
   }
 
   /*


________________________________________________________________________


SOLUTION
========

        There is an official solution now. libgtop_daemon release 1.0.13
has been  made to  correct this  issue. Here  is a  link where  you  can
download it :

ftp://ftp.gnome.org/pub/GNOME/stable/sources/libgtop/libgtop-1.0.13.tar.gz


________________________________________________________________________


VENDOR STATUS
=============

        26-11-2001 : This  bulletin  was  sent   to  the  libgtop_daemon
                     developpment team.
        27-11-2001 : The  libgtop_daemon  developpement  team released a
                     new version including the patch for this issue.


________________________________________________________________________


DISCLAIMER
==========

        intexxia provides these informations as a public service and "as
is". Intexxia  will not be  held accountable for  any damage or distress
caused by the proper or improper usage of these materials.


________________________________________________________________________


DIFFUSION CRITERIA
==================

        (c) intexxia 2001. This  document is property  of intexxia. Feel
free to use and distribute  this material as long as  credit is given to
intexxia and the author.


________________________________________________________________________


CONTACT
=======

CERT intexxia                                          cert () intexxia com
INTEXXIA                                         http://www.intexxia.com
171, av. Georges Clemenceau                 Standard : +33 1 55 69 49 10
92024 Nanterre Cedex - France                    Fax : +33 1 55 69 78 80

-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 7.0.3 for non-commercial use <http://www.pgp.com>

iQA/AwUBPAM7wU2N8BNyNDXLEQLdpQCg1Vi/4vbZQdRjj/1ymF3z1+umSqcAoLg4
FBeGXpWddc3WB6nKK5KMxnC9
=pmZw
-----END PGP SIGNATURE-----



  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]