[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[VulnDiscuss] Re: zkfingerd 0.9.1 format string vulnerabilities (#NISR16122002A)
hi,
as far as i know there's no distro which ships with that daemon or even
gives it a 4000 perm.
further
----- Original Message -----
From: "NGSSoftware Insight Security Research" <nisr@xxxxxxxxxxxxx>
To: <bugtraq@xxxxxxxxxxxxxxxxx>; <vulnwatch@xxxxxxxxxxxxx>
Sent: Monday, December 16, 2002 8:53 PM
Subject: zkfingerd 0.9.1 format string vulnerabilities (#NISR16122002A)
> NGSSoftware Insight Security Research Advisory
>
> Name: zkfingerd Format String vulnerability
> Systems: zkfingerd version 0.9.1 and earlier
> Severity: High Risk
> Vendor URL: http://sourceforge.net/projects/zkfingerd
> Author: David Litchfield (david@xxxxxxxxxxxxxxx)
> Advisory URL: http://www.ngssoftware.com/advisories/zkfingerd.txt
> Date: 16th December 2002
> Advisory number: #NISR16122002A
>
>
> Description
> ***********
> zkfingerd is an open-source replacement for standard finger daemons
running
> on Linux systems. zkfingerd suffers from several format string
> vulnerabilities that, when exploited, can allow the remote execution of
> arbitrary code.
>
> Details
> *******
> The first format string vulnerability can be found in the putlog()
function
> of log.c. An unsafe call is made to the syslog() function.
>
> ..
> syslog(LOG_INFO, c);
> ..
>
> To make this safe a format string should be specified:
>
> ..
> syslog(LOG_INFO,"%s", c);
> ..
>
> By fingering a "user" and designing a special format string as the user,
it
> is possible to overwrite arbitray locations in memory with values supplied
> by an attacker using the %n specifier. This can lead to arbitrary code
> execution.
>
>
> Further format string vulnerabilities, that all have the same root cause,
> are due to the say() function:
>
>
> void
> say(char *fmt, ...)
> {
> va_list ap;
>
> va_start(ap, fmt);
> vprintf(fmt, ap);
> va_end(ap);
>
> printf("\r\n");
> fflush(stdout);
>
> return;
> }
>
>
> If, when say() is called, the first argument is not a format string but
> input a remote user can control then the vulnerability will manifest
itself.
> One such place is in the file_list() function:
>
> if(S_ISDIR(st.st_mode))
> {
> char *y, *z;
> files++;
> z = xmalloc(strlen(de->d_name) + 2);
> strcpy(z, de->d_name);
> strcat(z, "/");
> x = xmalloc(32 + strlen(de->d_name));
> y = my_ctime(st.st_mtime);
> sprintf(x, "\t%-12s\t%s\t-- DIR --", z, y);
> say(x);
> xfree(x);
> xfree(y);
> xfree(z);
> continue;
> }
>
> In this case if the name of a directory contains an attacker supplied
format
> string then it can overwrite arbitrary locations in memory with attacker
> supplied values.
>
>
> Fix Information
> ***************
> NGSSoftware alerted the author of zkfingerd with these problems on the
27th
> of November, 2002. The author responed quickly and made the relevant
> security fixes. Patched source code can be download from CVS @
Sourceforge.
>
> http://cvs.sourceforge.net/cgi-bin/viewcvs.cgi/zkfingerd/zkfingerd/src/
>
> A check for this issue has been added to Typhon III, NGSSoftware's
advanced
> vulnerability assessment tool, of which, more information is available at
> the NGSSite: http://www.ngssoftware.com/
>
> For more information about format string vulnerabilities please read
>
> http://www.nextgenss.com/papers/win32format.doc
> http://julianor.tripod.com/usfs.html
>
>
> About NGSSoftware
> *****************
> NGSSoftware design, research and develop intelligent, advanced application
> security assessment scanners. Based in the United Kingdom, NGSSoftware
have
> offices in the South of London and the East Coast of Scotland.
NGSSoftware's
> sister company NGSConsulting, offers best of breed security consulting
> services, specialising in application, host and network security
> assessments.
>
> http://www.ngssoftware.com/
> http://www.ngsconsulting.com/
>
> Telephone +44 208 401 0070
> Fax +44 208 401 0076
> enquiries@xxxxxxxxxxxxxxx
>