NGSSoftware Insight Security Research
16/12/02, 21:33
NGSSoftware Insight Security Research Advisory
Name: zkfingerd Format String vulnerability
Systems: zkfingerd version 0.9.1 and earlier
Severity: High Risk
Vendor URL: http://sourceforge.net/projects/zkfingerd
Author: David Litchfield (david@ngssoftware.com)
Advisory URL: http://www.ngssoftware.com/advisories/zkfingerd.txt
Date: 16th December 2002
Advisory number: #NISR16122002A
Description
***********
zkfingerd is an open-source replacement for standard finger daemons running
on Linux systems. zkfingerd suffers from several format string
vulnerabilities that, when exploited, can allow the remote execution of
arbitrary code.
Details
*******
The first format string vulnerability can be found in the putlog() function
of log.c. An unsafe call is made to the syslog() function.
...
syslog(LOG_INFO, c);
...
To make this safe a format string should be specified:
...
syslog(LOG_INFO,"%s", c);
...
By fingering a "user" and designing a special format string as the user, it
is possible to overwrite arbitray locations in memory with values supplied
by an attacker using the %n specifier. This can lead to arbitrary code
execution.
Further format string vulnerabilities, that all have the same root cause,
are due to the say() function:
void
say(char *fmt, ...)
{
va_list ap;
va_start(ap, fmt);
vprintf(fmt, ap);
va_end(ap);
printf("\r\n");
fflush(stdout);
return;
}
If, when say() is called, the first argument is not a format string but
input a remote user can control then the vulnerability will manifest itself.
One such place is in the file_list() function:
if(S_ISDIR(st.st_mode))
{
char *y, *z;
files++;
z = xmalloc(strlen(de->d_name) + 2);
strcpy(z, de->d_name);
strcat(z, "/");
x = xmalloc(32 + strlen(de->d_name));
y = my_ctime(st.st_mtime);
sprintf(x, "\t%-12s\t%s\t-- DIR --", z, y);
say(x);
xfree(x);
xfree(y);
xfree(z);
continue;
}
In this case if the name of a directory contains an attacker supplied format
string then it can overwrite arbitrary locations in memory with attacker
supplied values.
Fix Information
***************
NGSSoftware alerted the author of zkfingerd with these problems on the 27th
of November, 2002. The author responed quickly and made the relevant
security fixes. Patched source code can be download from CVS @ Sourceforge.
http://cvs.sourceforge.net/cgi-bin/viewcvs.cgi/zkfingerd/zkfingerd/src/
A check for this issue has been added to Typhon III, NGSSoftware's advanced
vulnerability assessment tool, of which, more information is available at
the NGSSite: http://www.ngssoftware.com/
For more information about format string vulnerabilities please read
http://www.nextgenss.com/papers/win32format.doc
http://julianor.tripod.com/usfs.html
About NGSSoftware
*****************
NGSSoftware design, research and develop intelligent, advanced application
security assessment scanners. Based in the United Kingdom, NGSSoftware have
offices in the South of London and the East Coast of Scotland. NGSSoftware's
sister company NGSConsulting, offers best of breed security consulting
services, specialising in application, host and network security
assessments.
http://www.ngssoftware.com/
http://www.ngsconsulting.com/
Telephone +44 208 401 0070
Fax +44 208 401 0076
enquiries@ngssoftware.com
Name: zkfingerd Format String vulnerability
Systems: zkfingerd version 0.9.1 and earlier
Severity: High Risk
Vendor URL: http://sourceforge.net/projects/zkfingerd
Author: David Litchfield (david@ngssoftware.com)
Advisory URL: http://www.ngssoftware.com/advisories/zkfingerd.txt
Date: 16th December 2002
Advisory number: #NISR16122002A
Description
***********
zkfingerd is an open-source replacement for standard finger daemons running
on Linux systems. zkfingerd suffers from several format string
vulnerabilities that, when exploited, can allow the remote execution of
arbitrary code.
Details
*******
The first format string vulnerability can be found in the putlog() function
of log.c. An unsafe call is made to the syslog() function.
...
syslog(LOG_INFO, c);
...
To make this safe a format string should be specified:
...
syslog(LOG_INFO,"%s", c);
...
By fingering a "user" and designing a special format string as the user, it
is possible to overwrite arbitray locations in memory with values supplied
by an attacker using the %n specifier. This can lead to arbitrary code
execution.
Further format string vulnerabilities, that all have the same root cause,
are due to the say() function:
void
say(char *fmt, ...)
{
va_list ap;
va_start(ap, fmt);
vprintf(fmt, ap);
va_end(ap);
printf("\r\n");
fflush(stdout);
return;
}
If, when say() is called, the first argument is not a format string but
input a remote user can control then the vulnerability will manifest itself.
One such place is in the file_list() function:
if(S_ISDIR(st.st_mode))
{
char *y, *z;
files++;
z = xmalloc(strlen(de->d_name) + 2);
strcpy(z, de->d_name);
strcat(z, "/");
x = xmalloc(32 + strlen(de->d_name));
y = my_ctime(st.st_mtime);
sprintf(x, "\t%-12s\t%s\t-- DIR --", z, y);
say(x);
xfree(x);
xfree(y);
xfree(z);
continue;
}
In this case if the name of a directory contains an attacker supplied format
string then it can overwrite arbitrary locations in memory with attacker
supplied values.
Fix Information
***************
NGSSoftware alerted the author of zkfingerd with these problems on the 27th
of November, 2002. The author responed quickly and made the relevant
security fixes. Patched source code can be download from CVS @ Sourceforge.
http://cvs.sourceforge.net/cgi-bin/viewcvs.cgi/zkfingerd/zkfingerd/src/
A check for this issue has been added to Typhon III, NGSSoftware's advanced
vulnerability assessment tool, of which, more information is available at
the NGSSite: http://www.ngssoftware.com/
For more information about format string vulnerabilities please read
http://www.nextgenss.com/papers/win32format.doc
http://julianor.tripod.com/usfs.html
About NGSSoftware
*****************
NGSSoftware design, research and develop intelligent, advanced application
security assessment scanners. Based in the United Kingdom, NGSSoftware have
offices in the South of London and the East Coast of Scotland. NGSSoftware's
sister company NGSConsulting, offers best of breed security consulting
services, specialising in application, host and network security
assessments.
http://www.ngssoftware.com/
http://www.ngsconsulting.com/
Telephone +44 208 401 0070
Fax +44 208 401 0076
enquiries@ngssoftware.com