Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!

TUCoPS :: Linux :: General :: lnx4881.htm

Gnome - libgtop_daemon format string vulnerability
28th Nov 2001 [SBWID-4881]

	libgtop_daemon format  string vulnerability


	libgtop_daemon <= 1.0.12


	Based on Guillaume Pelat [] advisory :

	The 2  functions  named  syslog_message()  and  syslog_io_message()  are
	called with a format string which is  initialized  by  the  client.  The
	permitted() function, that verifies if the client trying to  to  connect
	is authorized to, is concerned by this flaw. The  libgtop_daemon  daemon
	is launched with \'nobody\' permissions by default. Complete  exploitation
	of this vulnerability will permit an attacker to execute code  with  the
	\'nobody\' permissions.

	exemple :

	Client side :

	~ % telnet 42800


	Connected to

	Escape character is \'^]\'.


	Connection closed by foreign host.

	~ % telnet 42800


	Connected to

	Escape character is \'^]\'.


	Connection closed by foreign host.


	Server side :

	~/# libgtop_daemon -f

	\' from clientn[3877]: Invalid authentication protocol


	libgtop-daemon[3877]: Refused connection from

	Segmentation fault






	Favio found additional problems :

	When investigating this issue I noticed another  big  security  hole  in
	the daemon. It\'s a buffer overflow in the  same  permitted()  function,
	which may allow the client to execute code on the  server.  Here\'s  the

	permitted (u_long host_addr, int fd)



	    char buf[1024];

	    int auth_data_len;


	        if (timed_read (fd, buf, 10, AUTH_TIMEOUT, 1) <= 0)

	            return FALSE;


	        auth_data_len = atoi (buf);


	        if (timed_read (fd, buf, auth_data_len, AUTH_TIMEOUT, 0) != auth_data_le


	            return FALSE;


	Here you can see the bug in action:

	$ perl -e \'print \"MAGIC-1\\0\\0\\0\\0\\0\\0\\0\\0\". \"2000\\0\\0\\0\\0\\0\\0\". (\"A\"x2000)\' | \\

	   nc localhost 42800




	Although there is an official solution, here is the  way  to  patch  the
	sources to resolve this problem. The file  \'src/daemon/gnuserv.c\'  must
	be modified :

	In function syslog_message(), replace :

	  syslog (priority, buffer);

	by :

	  syslog (priority, \"%s\", buffer);


	And in function syslog_io_message(), replace :

	  syslog (priority, buffer2);

	by :

	  syslog (priority, \"%s\", buffer2);



	The Laboratory intexxia developped the following patch to  correct  this
	vulnerability. However, the  simplest  and  probably  the  best  way  to
	resolve this issue is to install the new version at the  above  link  in
	the solution section :

	  diff -dru libgtop-1.0.12/src/daemon/gnuserv.c


	  --- libgtop-1.0.12/src/daemon/gnuserv.c Mon Nov 26 13:48:14 2001

	  +++ libgtop-1.0.12-patched/src/daemon/gnuserv.c Mon Nov 26 13:49:26 2001

	  @@ -93,7 +93,7 @@

	       vsnprintf (buffer, BUFSIZ-1, format, ap);

	       va_end (ap);


	  -    syslog (priority, buffer);

	  +    syslog (priority, \"%s\", buffer);




	  @@ -108,7 +108,7 @@

	       va_end (ap);


	       snprintf (buffer2, BUFSIZ-1, \"%s: %s\", buffer, strerror (errno));

	  -    syslog (priority, buffer2);

	  +    syslog (priority, \"%s\", buffer2);









	Additional patch from Flavio :

	Here goes the patch. It should be applied against  1.0.13  (released  on
	2001-11-27). Notice that this new version  _already_  fixed  the  format
	bug, but _not_ the buffer overflow. You should apply the patch  or  wait
	for 1.0.14.


	diff -Nru libgtop-1.0.13.orig/src/daemon/gnuserv.c libgtop-1.0.13/src/daemon/gnuserv.c

	--- libgtop-1.0.13.orig/src/daemon/gnuserv.c	Mon Nov 26 20:37:59 2001

	+++ libgtop-1.0.13/src/daemon/gnuserv.c	Tue Nov 27 09:16:16 2001

	@@ -200,6 +200,12 @@


	 	auth_data_len = atoi (buf);


	+	if (auth_data_len < 1 || auth_data_len > sizeof(buf)) {

	+	    syslog_message(LOG_WARNING,

	+			   \"Invalid data length supplied by client\");

	+	    return FALSE;

	+	}


	 	if (timed_read (fd, buf, auth_data_len, AUTH_TIMEOUT, 0) != auth_data_len)

	 	    return FALSE;






	FreeBsd patch :

	[i386] ( \'\' ) ( \'\' )



	Packages are not automatically generated for the alpha architecture at

	this time due to lack of build resources.



TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2015 AOH