Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



Vulnwatch: [INetCop Security Advisory] Remote format string vulnerability in Tanne.

[INetCop Security Advisory] Remote format string vulnerability in Tanne.

From: dong-h0un yoU <xploit_at_hackermail.com>
Date: Tue, 07 Jan 2003 16:59:11 +0800

        ========================================
        INetCop Security Advisory #2003-0x82-012
        ========================================

* Title: Remote format string vulnerability in Tanne.

0x01. Description

About:
tanne is a small, secure session-management solution for HTTP.
It replaces common sessions with a system consisting of PIN and TANs,
well known from online banking.
It's main purpose is to enable programmers of Web applications
to have real secure sessions without cookies or session-ids.

More detailed information is http://tanne.fluxnetz.de/.

Vulnerability can presume as following.
There is logger() function to 29 lines of 'netzio.c' code.

    __
    59 else
    60 {
    61 va_start( args, str );
    62 vsnprintf( txt, 511, str, args );
    63 va_end( args );
    64 openlog( "Tanne2", LOG_PID, LOG_DAEMON );
    65 syslog( LOG_INFO, txt ); // Here.
    66 closelog();
    67 }
    68 umask( NORMALE_UMASK );
    69 #else
    70 va_start( args, str );
    71 vsnprintf( txt, 511, str, args );
    72 va_end( args );
    73 openlog( "Tanne2", LOG_PID, LOG_DAEMON );
    74 syslog( LOG_INFO, txt ); // Here.
    75 closelog();
    76 #endif
    77 }
    --

This is very dangerous security vulnerability.
It's known already well. ;-)

0x02. Vulnerable Packages

Vendor site: http://tanne.fluxnetz.de/

tanne 0.6.17
-tanne-0.6.17.tar.bz2
+Linux
+Other

0x03. Exploit

When compile and tested, bring following result.

bash# netstat -an | grep 14002
tcp 0 0 127.0.0.1:14002 0.0.0.0:* LISTEN
bash# nc 0 14002
%x%x%x%x
|F|
bash# tail -1 /var/log/messages
Jan 5 11:29:55 xpl017elz Tanne2[3540]: FATAL: ID (804bbc0118bffff980) nicht gefunden
bash#

If our examination ends,
exhibit exploit code for proof of concept. hehe !!

0x04. Patch

=== netzio.patch ===

--- netzio.c Wed Jul 25 22:17:29 2001
+++ netzio.patch.c Sun Jan 5 11:18:31 2003
@@ -62,7 +62,7 @@
                 vsnprintf( txt, 511, str, args );
                 va_end( args );
                 openlog( "Tanne2", LOG_PID, LOG_DAEMON );
- syslog( LOG_INFO, txt );
+ syslog( LOG_INFO, "%s", txt );
                 closelog();
         }
         umask( NORMALE_UMASK );
@@ -71,7 +71,7 @@
         vsnprintf( txt, 511, str, args );
         va_end( args );
         openlog( "Tanne2", LOG_PID, LOG_DAEMON );
- syslog( LOG_INFO, txt );
+ syslog( LOG_INFO, "%s", txt );
         closelog();
 #endif
 }

=== eof ===

P.S: Sorry, for my poor english. 

--
By "dong-houn yoU" (Xpl017Elz), in INetCop(c) Security.
MSN & E-mail: szoahc(at)hotmail(dot)com,
              xploit(at)hackermail(dot)com
INetCop Security Home: http://www.inetcop.org (Korean hacking game)
             My World: http://x82.i21c.net
GPG public key: http://wizard.underattack.co.kr/~x82/h0me/pr0file/x82.k3y
--
-- 
_______________________________________________
Get your free email from http://www.hackermail.com
Powered by Outblaze
Received on Jan 07 2003
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
edgeos