Security News -  Security Reviews -   Exploits -  Tools -  UNIX Focus -  Windows Focus
SecuriTeam™  Beyond Security®  SecuriTeam™ Home  Ask the Team  Mailing Lists  Advertising Info  Blogs SecuriTeam™ in Your Inbox   E-mail this CVE-2005-3393 to a friend New vulnerability? New tool? Tell us	CVE-2005-3393 OpenVPN foreign_option() Formart String     Credit: The information has been provided by v9. Website Security Scan Code Vulnerability Test Network Assessment Tool Detect hidden vulnerabilities Exhaustive automated testing Real-time, continuous security Get guidance from professionals of internal or 3rd party code. scanning for your entire network    CVE-2005-3393 Details Check for CVE-2005-3393 Vulnerability Assessment and Management. Automated Pen Testing for 50 to 50,000 nodes beyondsecurity.com/vulnerability-scanner Vulnerable Systems:  * OpenVPN version 2.0 up to 2.0.3 Immune Systems:  * OpenVPN version 2.0.4 The vulnerable function is located in options.c in the foreign_option() function. This function uses the buf_printf() function to improperly write to a buffer(typical printf() format string-style). The only option that appears to use the foreign_option() function is "dhcp-option". Since the OpenVPN server is allowed to "push" some command options ("dhcp-option" being one of those) to its clients this becomes remotely exploitable on the OpenVPN clients. An example/demonstration of this would be to insert the following line into a malicious OpenVPN server config file:  push "dhcp-option <format string>" Or, namely to test for validity/crash of an OpenVPN client:  push "dhcp-option %n%n%n%n%n%n" It should be noted that WIN32 versions of OpenVPN are NOT affected by this, the following code snippets will highlight the above. openvpn/options.c: ... static void foreign_option (struct options *o, char *argv[], int len, struct env_set *es) {   if (len > 0)     {       struct gc_arena gc = gc_new();       struct buffer name = alloc_buf_gc (OPTION_PARM_SIZE, &gc);       struct buffer value = alloc_buf_gc (OPTION_PARM_SIZE, &gc);       int i;       bool first = true;       buf_printf (&name, "foreign_option_%d", o->foreign_option_index + 1);       ++o->foreign_option_index;       for (i = 0; i < len; ++i)         {           if (argv[i])             {               if (!first)                 buf_printf (&value, " "); ! -> buf_printf (&value, argv[i]);               first = false;             }         }       setenv_str (es, BSTR(&name), BSTR(&value));       gc_free (&gc);     } } ... static int add_option (...){ ... #ifdef WIN32 ... #else ...   else if (streq (p[0], "dhcp-option") && p[1])     {       ++i;       VERIFY_PERMISSION (OPT_P_IPWIN32);       if (p[2])         ++i; ! -> foreign_option (options, p, 3, es);     } ... #endif ... User-supplied data is reachable for writing to, and addresses (within pop/"direct parameter access" range) already in memory were viable to write and to to gain control of the program. However, OpenVPN filters many characters, which causes problems for standard exploitation using the user supplied method and insertion of (non-alum) shellcode. this does not stop exploitation using this method, but does make it more involved. CVE Information: CVE-2005-3393  Comments on CVE-2005-3393:  Add new comment:  Subject:  Name/Nick/Email:          Chars Left:	All Sections Security News Unix focus Exploits Tools Windows focus Security Reviews
	Security News - Security Reviews - Exploits - Tools - UNIX Focus - Windows Focus

Copyright © 1998-2010 Beyond Security® All rights reserved.
Terms of Use Site Privacy Statement.
SecuriTeam™ is a trademark of Beyond Security®