From nisr@nextgenss.com Tue Dec 17 00:34:42 2002 From: NGSSoftware Insight Security Research To: bugtraq@securityfocus.com, vulnwatch@vulnwatch.org Date: Mon, 16 Dec 2002 19:53:29 -0000 Subject: [VulnWatch] zkfingerd 0.9.1 format string vulnerabilities (#NISR16122002A) [ The following text is in the "iso-8859-1" character set. ] [ Your display is set for the "US-ASCII" character set. ] [ Some characters may be displayed incorrectly. ] NGSSoftware Insight Security Research Advisory Name: zkfingerd Format String vulnerability Systems: zkfingerd version 0.9.1 and earlier Severity: High Risk Vendor URL: http://sourceforge.net/projects/zkfingerd Author: David Litchfield (david@ngssoftware.com) Advisory URL: http://www.ngssoftware.com/advisories/zkfingerd.txt Date: 16th December 2002 Advisory number: #NISR16122002A Description *********** zkfingerd is an open-source replacement for standard finger daemons running on Linux systems. zkfingerd suffers from several format string vulnerabilities that, when exploited, can allow the remote execution of arbitrary code. Details ******* The first format string vulnerability can be found in the putlog() function of log.c. An unsafe call is made to the syslog() function. .. syslog(LOG_INFO, c); .. To make this safe a format string should be specified: .. syslog(LOG_INFO,"%s", c); .. By fingering a "user" and designing a special format string as the user, it is possible to overwrite arbitray locations in memory with values supplied by an attacker using the %n specifier. This can lead to arbitrary code execution. Further format string vulnerabilities, that all have the same root cause, are due to the say() function: void say(char *fmt, ...) { va_list ap; va_start(ap, fmt); vprintf(fmt, ap); va_end(ap); printf("\r\n"); fflush(stdout); return; } If, when say() is called, the first argument is not a format string but input a remote user can control then the vulnerability will manifest itself. One such place is in the file_list() function: if(S_ISDIR(st.st_mode)) { char *y, *z; files++; z = xmalloc(strlen(de->d_name) + 2); strcpy(z, de->d_name); strcat(z, "/"); x = xmalloc(32 + strlen(de->d_name)); y = my_ctime(st.st_mtime); sprintf(x, "\t%-12s\t%s\t-- DIR --", z, y); say(x); xfree(x); xfree(y); xfree(z); continue; } In this case if the name of a directory contains an attacker supplied format string then it can overwrite arbitrary locations in memory with attacker supplied values. Fix Information *************** NGSSoftware alerted the author of zkfingerd with these problems on the 27th of November, 2002. The author responed quickly and made the relevant security fixes. Patched source code can be download from CVS @ Sourceforge. http://cvs.sourceforge.net/cgi-bin/viewcvs.cgi/zkfingerd/zkfingerd/src/ A check for this issue has been added to Typhon III, NGSSoftware's advanced vulnerability assessment tool, of which, more information is available at the NGSSite: http://www.ngssoftware.com/ For more information about format string vulnerabilities please read http://www.nextgenss.com/papers/win32format.doc http://julianor.tripod.com/usfs.html About NGSSoftware ***************** NGSSoftware design, research and develop intelligent, advanced application security assessment scanners. Based in the United Kingdom, NGSSoftware have offices in the South of London and the East Coast of Scotland. NGSSoftware's sister company NGSConsulting, offers best of breed security consulting services, specialising in application, host and network security assessments. http://www.ngssoftware.com/ http://www.ngsconsulting.com/ Telephone +44 208 401 0070 Fax +44 208 401 0076 enquiries@ngssoftware.com