|
Brought to you by:
Suppliers of:
|
|
|
| |
snmppd is "an SNMP proxy daemon that is designed to work with Nagios. It loads MIBs upon startup, listens on a TCP socket for SNMP GET requests, polls the specified host, and returns the value to caller process. The caller process is usually the Nagios plugin check_snmpp".
A format string vulnerability has been discovered in SNMP Proxy daemon, allowing a remote attacker to cause the program to execute arbitrary code. |
| |
Credit:
The information has been provided by dong-hun you.
The original article can be found at: http://www.inetcop.net
|
| |
Vulnerable Systems:
* snmppd version 0.4.5 and prior
Vulnerable code:
The following code can be found in the file /snmppd-0.4.5/snmppd/snmppd_util.c:
--
...
23 void snmppd_log(int level, char *fmt, va_list args)
24 {
25 char buffer[2048];
26 vsnprintf(buffer, 2048, fmt, args);
27 if (config.debug || config.nofork) {
...
38 } else {
39 if (level >= LOG_INFO) {
40 syslog(level, buffer);
41 }
42 }
43 }
...
45 void log_error(char *fmt, ...)
46 {
...
50 snmppd_log(LOG_ERR, fmt, args);
...
52 }
53
54 void log_info(char *fmt, ...)
55 {
...
59 snmppd_log(LOG_INFO, fmt, args);
...
61 }
62
63 void log_debug(char *fmt, ...)
64 {
...
69 snmppd_log(LOG_DEBUG, fmt, args);
...
72 }
--
As can be seen the syslog() function is called without a constant format string, further the format string is the user provided data, allowing an attacker to cause the program to execute arbitrary code.
Patch:
snmppd 0.4.5 patch:
=== snmppd-0.4.5.patch ===
--- snmppd_util.c Thu Jul 11 18:52:34 2002
+++ patch/snmppd_util.c Sat Mar 5 23:54:54 2005
@@ -37,7 +37,7 @@
fputc('\n', stdout);
} else {
if (level >= LOG_INFO) {
- syslog(level, buffer);
+ syslog(level, "%s", buffer);
}
}
}
|
|
|
|
|
