Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Linux :: Apps A-M :: lnx4877.htm

Auto Nice Daemon Format String Vulnerability



27th Nov 2001 [SBWID-4877]
COMMAND

	Auto Nice Daemon Format String Vulnerability

SYSTEMS AFFECTED

	AND <= 1.0.4

PROBLEM

	Guillaume Pelat [www.intexxia.com] says :
	

	AND (Auto Nice Daemon, http://and.sourceforge.net/) is  a  daemon  which
	allows to automatically change a user process if it uses  too  much  CPU
	time. It can also kill the process if it  goes  beyond  a  defined  level.
	

	AND is vulnerable to a format string bug. A local user can exploit  this
	issue to gain higher privileges on the local system.  He  only  need  to
	run  a  process  with  a  name  containing   a   format   string,   like
	\'%n%n%n%n\'.
	

	The problem occurs when the program calls the  syslog(3)  function  with
	the process name as second parameter. As a user  can  create  a  process
	named as he wants, it is easy to exploit this vulnerability.
	

	Complete exploitation of this vulnerability can conduct to  a  privilege
	escalation on the system. As the AND process runs as \'root\',  a  local
	user could execute arbitrary code with the \'root\' privileges.
	

	

	 PROOF OF CONCEPT

	 ================

	

	It is simple to create a program using a lot of the CPU time  with  a  special
	name to exploit this bug :
	 

	  % cat foo.c

	  int main()

	  {

	      while (1);

	          return 0;

	  }

	  % gcc foo.c -o %n%n%n%n

	  % ./%n%n%n%n

	

	This causes a segmentation fault in the AND daemon.
	

	

SOLUTION

	There is an official  solution  right  now.  It  can  be  found  on  the
	following web site. Update AND to the version 1.0.5 :
	 

	http://and.sourceforge.net

	

	

	You can also apply the following patch which fixes the vulnerability :
	 

	  diff -dru and-1.0.4/and.c and-1.0.4-patched/and.c

	  --- and-1.0.4/and.c     Sat Jul  7 21:43:15 2001

	  +++ and-1.0.4-patched/and.c     Fri Nov 23 11:50:27 2001

	  @@ -218,7 +218,7 @@

	         fflush(out);

	       } else {

	         /* write to syslog if in full operations */

	  -      syslog(LOG_WARNING,buffer);

	  +      syslog(LOG_WARNING, \"%s\", buffer);

	       }

	     }

	     va_end(args);

	


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH