SecuriTeam - zkfingerd Format String Vulnerability

Security News - Security Reviews - Exploits - Tools - UNIX Focus - Windows Focus

SecuriTeam
Beyond Security

SecuriTeam Home
Ask the Team
Mailing Lists
Advertising Info
Blogs

Black Box Testing
Vulnerability Assessment
Vulnerability Scanner

	SecuriTeam in Your Inbox

	E-mail this article to a friend

New vulnerability?
New tool?
Tell us

zkfingerd is an open-source replacement for standard finger daemons running on Linux systems. zkfingerd suffers from several format string vulnerabilities that, when exploited, can allow the remote execution of arbitrary code.

Credit:
The original advisory can be downloaded from: http://www.nextgenss.com/advisories/zkfingerd.txt.
The information has been provided by NGSSoftware Insight Security Research.

Protect your website!
Use an External Vulnerability Scanner!
Nothing to install. First report in 1 hour!
www.beyondsecurity.com/vulnerability-scanner

Vulnerable systems:
* zkfingerd version 0.9.1 and earlier

The first format string vulnerability can be found in the putlog() function of log.c. An unsafe call is made to the syslog() function.

..
syslog(LOG_INFO, c);
..

To make this safe a format string should be specified:

..
syslog(LOG_INFO,"%s", c);
..

By fingering a "user" and designing a special format string as the user, it is possible to overwrite arbitray locations in memory with values supplied by an attacker using the %n specifier. This can lead to arbitrary code execution.

Further format string vulnerabilities, that all have the same root cause, are due to the say() function:

void
say(char *fmt, ...)
{
        va_list ap;

        va_start(ap, fmt);
        vprintf(fmt, ap);
        va_end(ap);

        printf("\r\n");
        fflush(stdout);

        return;
}

If, when say() is called, the first argument is not a format string but input a remote user can control then the vulnerability will manifest itself. One such place is in the file_list() function:

if(S_ISDIR(st.st_mode))
{
        char *y, *z;
        files++;
        z = xmalloc(strlen(de->d_name) + 2);
        strcpy(z, de->d_name);
        strcat(z, "/");
        x = xmalloc(32 + strlen(de->d_name));
        y = my_ctime(st.st_mtime);
        sprintf(x, "\t%-12s\t%s\t-- DIR --", z, y);
        say(x);
        xfree(x);
        xfree(y);
        xfree(z);
        continue;
}

In this case if the name of a directory contains an attacker supplied format string then it can overwrite arbitrary locations in memory with attacker supplied values.

Fix Information:
NGSSoftware alerted the author of zkfingerd with these problems on the 27th of November, 2002. The author responded quickly and made the relevant security fixes. Patched source code can be download from CVS @ Sourceforge.

http://cvs.sourceforge.net/cgi-bin/viewcvs.cgi/zkfingerd/zkfingerd/src/

	PHP dba_replace() Arbitrary File Destruction
	VLC Media Player RealText Processing Stack Overflow Vulnerability
	LibSPF2 DNS TXT Record Parsing Bug
	GNU Enscript "setfilename" Special Escape Buffer Overflow
	File-Find-Object Format String Vulnerability
	Veritas Storage Foundation Arbitrary File Read Vulnerability
	Sun Solstice AdminSuite sadmind adm_build_path() Buffer Overflow Vulnerability
	Apache Tomcat Information Disclosure (RemoteFilterValve)
	Apple CUPS HP-GL/2 filter Code Execution Vulnerability
	WordPress MU wpmu-Blogs.php Crose Site Scrpting Vulnerability
	strongSwan IKEv2 Denial of Service Vulnerability
	Cross-Site Scripting Filter Evasion in Various Frameworks / Applications
	MySQL Charset Truncation Vulnerability
	Wordpress user_login Column SQL Truncation Vulnerability
	Joomla Weak Random Password Reset Token Vulnerability