Home page logo
/

bugtraq logo Bugtraq mailing list archives

Re: [CERT-intexxia] libgtop_daemon Remote Format String Vulnerability
From: Flavio Veloso <flaviovs () magnux com>
Date: Wed, 28 Nov 2001 08:52:27 -0200 (BRST)

On Tue, 27 Nov 2001, Benoît Roussel wrote:

________________________________________________________________________
SECURITY ADVISORY                                            INTEXXIA(c)
27 11 2001                                               ID #1048-261101
________________________________________________________________________
TITLE   : libgtop_daemon Remote Format String Vulnerability
CREDITS : Guillaume Pelat / INTEXXIA
________________________________________________________________________


SYSTEM AFFECTED
===============

        libgtop_daemon <= 1.0.12

When investigating this issue I noticed another big security hole in
the daemon. It's a buffer overflow in the same permitted() function,
which may allow the client to execute code on the server. Here's the
code:

permitted (u_long host_addr, int fd)
{
(...)
    char buf[1024];
    int auth_data_len;
(...)
        if (timed_read (fd, buf, 10, AUTH_TIMEOUT, 1) <= 0)
            return FALSE;

        auth_data_len = atoi (buf);

        if (timed_read (fd, buf, auth_data_len, AUTH_TIMEOUT, 0) != auth_data_le
n)
            return FALSE;

Here you can see the bug in action:

$ perl -e 'print "MAGIC-1\0\0\0\0\0\0\0\0". "2000\0\0\0\0\0\0". ("A"x2000)' | \
   nc localhost 42800

The GNOME folks and vendors were already notified. Since this bug is
too obvious to a casual reviewer of the flaw reported by INTEXXIA, and
since a patch is also available (see below), we are treating it as
already disclosed.

Here goes the patch. It should be applied against 1.0.13 (released on
2001-11-27). Notice that this new version _already_ fixed the format
bug, but _not_ the buffer overflow. You should apply the patch or wait
for 1.0.14.

diff -Nru libgtop-1.0.13.orig/src/daemon/gnuserv.c libgtop-1.0.13/src/daemon/gnuserv.c
--- libgtop-1.0.13.orig/src/daemon/gnuserv.c    Mon Nov 26 20:37:59 2001
+++ libgtop-1.0.13/src/daemon/gnuserv.c Tue Nov 27 09:16:16 2001
@@ -200,6 +200,12 @@

        auth_data_len = atoi (buf);

+       if (auth_data_len < 1 || auth_data_len > sizeof(buf)) {
+           syslog_message(LOG_WARNING,
+                          "Invalid data length supplied by client");
+           return FALSE;
+       }
+
        if (timed_read (fd, buf, auth_data_len, AUTH_TIMEOUT, 0) != auth_data_len)
            return FALSE;


-- 
Flávio



  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault