Secure Network Operations, Inc. http://www.secnetops.com/research Strategic Reconnaissance Team research@secnetops.com Team Lead Contact kf@secnetops.com Our Mission: ************************************************************************ Secure Network Operations offers expertise in Networking, Intrusion Detection Systems (IDS), Software Security Validation, and Corporate/Private Network Security. Our mission is to facilitate a secure and reliable Internet and inter-enterprise communications infrastructure through the products and services we offer. To learn more about our company, products and services or to request a demo of ANVIL FCS please visit our site at http://www.secnetops.com, or call us at: 978-263-3829 Quick Summary: ************************************************************************ Advisory Number : SRT2003-TURKEY-DAY *Gobble* *Gobble* Product : detecttr.c Version : modified on 11.07.97 Vendor : baldor - http://phrack.org/show.php?p=51&a=3 Class : Remote Criticality : Low Operating System(s) : Linux, FreeBSD, and other POSIX-systems Notice ************************************************************************ The full technical details of this vulnerability can be found at: http://www.secnetops.com/research/advisories/SRT2003-TURKEY-DAY.txt Basic Explanation ************************************************************************ High Level Description : detecttr has format strings issues. What to do : properly format the syslog call and recompile. Basic Technical Details ************************************************************************ Proof Of Concept Status : SNO has proof of concept. Low Level Description : Phrack Magazine Volume 7, Issue 51 which was released on September 01, 1997 contained an article titled "Tools for (paranoid ?) linux users" by an author known as baldor. This article was featured as part of the "Line Noise" located in section 0x04 from article 03 of 17. In this article the author introduces a program for detecting traceroute activity. You can find this program in a variety of places including security archives, unix tool libraries, and search engines. The program in question is detecttr.c and it contains a remotely exploitable format strings issue. I have not yet decided if this was a deliberately placed backdoor or if it was a simple coding mistake. Either way...line 140 of detecttr.c is the problem child which leads to potential exploitation. DNS libraries during the time the article was written may have been ripe for easy exploitation of this issue. Passing a hostname directly to syslog() without a format specifier is a bad idea in most cases. Work Around : Apply the below code change. change syslog(LOG_NOTICE , buf); to syslog(LOG_NOTICE , "%s" , buf); Bugtraq URL : To be assigned. Disclaimer ---------------------------------------------------------------------- This advisory was released by Secure Network Operations,Inc. as a matter of notification to help administrators protect their networks against the described vulnerability. Exploit source code is no longer released in our advisories but can be obtained under contract.. Contact our sales department at sales@secnetops.com for further information on how to obtain proof of concept code. ---------------------------------------------------------------------- Secure Network Operations, Inc. || http://www.secnetops.com "Embracing the future of technology, protecting you."