Priv8 Security Research
09/04/04, 01:45
--------------070303020406000904040801
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
--------------070303020406000904040801
Content-Type: text/plain;
name="final2.txt"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline;
filename="final2.txt"
************************************************** *************************
Priv8 Security Research - #2004-001 security@priv8security.com
http://www.priv8security.com Adriano Lima
February 22nd, 2004
---------------------------------------------------------------------------
Package Name: LCDProc
Vendor URL: http://lcdproc.omnipotent.net
Date: 2004-02-22
ID: PSR-#2004-002
Affected Version: 0.4.1 and lower
Risk: HIGH
************************************************** *************************
Package Description:
LCDproc is a software that displays real-time system information from your Linux/*BSD box on a LCD. The server supports several serial devices: Matrix Orbital, Crystal Fontz, Bayrad, LB216, LCDM001 (kernelconcepts.de), Wirz-SLI, Cwlinux(.com) and PIC-an-L
CD; and some devices connected to the LPT port: HD44780, STV5730, T6963, SED1520 and SED1330. Various clients that display things like CPU load, system load, memory usage, uptime, and a lot more, are available.
Problem Description:
Multiple bugs were found on LCDd server version 0.4.1 and lower that allow remote users to execute arbitrary code.
Problem 1:
Function parse_all_client_messages() on parse.c file.
if (invalid) {
// FIXME: Check for buffer overflows here...
sprintf (errmsg, "huh? Invalid command \"%s\"\n", argv[0]);
sock_send_string (c->sock, errmsg);
}
Sending an invalid long command, we overflow "errmsg" buffer, gaining control of the eip register.
Obs: Look at the FIXME msg, I guess he forgot to check it.
Problem 2:
Function test_func_func() on client_functions.c.
int
test_func_func (client * c, int argc, char **argv)
{
int i;
char str[256];
for (i = 0; i < argc; i++) {
sprintf (str, "test_func_func: %i -> %s\n", i, argv[i]);
printf (str);
sock_send_string (c->sock, str);
}
return 0;
}
Sending a long argv on test_func command, will cause an overflow on "str" buffer.
Problem 3:
On same function above, it is possible to exploit a format string bug on print(str);
Testing:
See proof of concept code on http://www.priv8security.com/releases/lcdproc/priv8lcd.pl
Solutions:
It is recommended that all users upgrade to version 0.4.4 and install the follow patch coded by Rodrigo Rubira Branco:
http://www.priv8security.com/releases/lcdproc/lcdproc.patch
References:
http://www.priv8security.com/releases/lcdproc/lcdproc.adv1
http://www.priv8security.com/releases/lcdproc/lcdproc.adv2
http://www.priv8security.com/releases/lcdproc/lcdproc.patch
http://www.priv8security.com/releases/lcdproc/priv8lcd.pl
ADDITIONAL INSTRUCTIONS:
Apply this patch against the latest version of lcdproc.
About Priv8 Security Research Group:
Priv8 Security is a group of programmers and enthusiastic friends
new and motivated the security area.
Questions:
If you have any questions, send a mail to security@priv8security.com
Check out our mailing lists:
<http://www.priv8security.com>
The advisory itself is available at
<http://www.priv8security.com/releases/lcdproc/lcdproc.adv2>
---------------------------------------------------------------------------
All advisories are signed with PRTT's GPG key. The key and instructions
on how to import it can be found at
http://www.priv8security.com
Instructions on how to check the signatures of the packages can be
found at http://www.priv8security.com
---------------------------------------------------------------------------
All our advisories and generic update instructions can be viewed at
http://www.priv8security.com
---------------------------------------------------------------------------
Copyright (c) 2004 Priv8 Security
http://www.priv8security.com
---------------------------------------------------------------------------
subscribe: security@priv8security.com
unsubscribe: security@priv8security.com
--------------070303020406000904040801--
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
--------------070303020406000904040801
Content-Type: text/plain;
name="final2.txt"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline;
filename="final2.txt"
************************************************** *************************
Priv8 Security Research - #2004-001 security@priv8security.com
http://www.priv8security.com Adriano Lima
February 22nd, 2004
---------------------------------------------------------------------------
Package Name: LCDProc
Vendor URL: http://lcdproc.omnipotent.net
Date: 2004-02-22
ID: PSR-#2004-002
Affected Version: 0.4.1 and lower
Risk: HIGH
************************************************** *************************
Package Description:
LCDproc is a software that displays real-time system information from your Linux/*BSD box on a LCD. The server supports several serial devices: Matrix Orbital, Crystal Fontz, Bayrad, LB216, LCDM001 (kernelconcepts.de), Wirz-SLI, Cwlinux(.com) and PIC-an-L
CD; and some devices connected to the LPT port: HD44780, STV5730, T6963, SED1520 and SED1330. Various clients that display things like CPU load, system load, memory usage, uptime, and a lot more, are available.
Problem Description:
Multiple bugs were found on LCDd server version 0.4.1 and lower that allow remote users to execute arbitrary code.
Problem 1:
Function parse_all_client_messages() on parse.c file.
if (invalid) {
// FIXME: Check for buffer overflows here...
sprintf (errmsg, "huh? Invalid command \"%s\"\n", argv[0]);
sock_send_string (c->sock, errmsg);
}
Sending an invalid long command, we overflow "errmsg" buffer, gaining control of the eip register.
Obs: Look at the FIXME msg, I guess he forgot to check it.
Problem 2:
Function test_func_func() on client_functions.c.
int
test_func_func (client * c, int argc, char **argv)
{
int i;
char str[256];
for (i = 0; i < argc; i++) {
sprintf (str, "test_func_func: %i -> %s\n", i, argv[i]);
printf (str);
sock_send_string (c->sock, str);
}
return 0;
}
Sending a long argv on test_func command, will cause an overflow on "str" buffer.
Problem 3:
On same function above, it is possible to exploit a format string bug on print(str);
Testing:
See proof of concept code on http://www.priv8security.com/releases/lcdproc/priv8lcd.pl
Solutions:
It is recommended that all users upgrade to version 0.4.4 and install the follow patch coded by Rodrigo Rubira Branco:
http://www.priv8security.com/releases/lcdproc/lcdproc.patch
References:
http://www.priv8security.com/releases/lcdproc/lcdproc.adv1
http://www.priv8security.com/releases/lcdproc/lcdproc.adv2
http://www.priv8security.com/releases/lcdproc/lcdproc.patch
http://www.priv8security.com/releases/lcdproc/priv8lcd.pl
ADDITIONAL INSTRUCTIONS:
Apply this patch against the latest version of lcdproc.
About Priv8 Security Research Group:
Priv8 Security is a group of programmers and enthusiastic friends
new and motivated the security area.
Questions:
If you have any questions, send a mail to security@priv8security.com
Check out our mailing lists:
<http://www.priv8security.com>
The advisory itself is available at
<http://www.priv8security.com/releases/lcdproc/lcdproc.adv2>
---------------------------------------------------------------------------
All advisories are signed with PRTT's GPG key. The key and instructions
on how to import it can be found at
http://www.priv8security.com
Instructions on how to check the signatures of the packages can be
found at http://www.priv8security.com
---------------------------------------------------------------------------
All our advisories and generic update instructions can be viewed at
http://www.priv8security.com
---------------------------------------------------------------------------
Copyright (c) 2004 Priv8 Security
http://www.priv8security.com
---------------------------------------------------------------------------
subscribe: security@priv8security.com
unsubscribe: security@priv8security.com
--------------070303020406000904040801--