This issue may be already have been on list. I assume
that the moderator this case rejects this mail.
On last non-beta version of cyrus-sasl library have
formatting string bug on default logging callback.
Default cyrys sasl logging callback is
static int _sasl_syslog(void *context __attribute__((unused)),
int priority,
const char *message)
on end of that function there is is
/* do the syslog call. do not need to call openlog */
syslog(syslog_priority | LOG_AUTH, message);
return SASL_OK;
}
syslog takes format string as argument.
That is cyrus-sasl-1.5.24. That is lastest non-beta version on
ftp://ftp.andrew.cmu.edu/pub/cyrus-mail/
I have told that this is fixed on beta version.
================================================
From: Lawrence Greenfield
Date: Sun, 30 Sep 2001 10:12:19 -0400
If you take a look at
ftp://ftp.andrew.cmu.edu/pub/cyrus-mail/BETA/cyrus-sasl-1.5.27.tar.gz
you'll notice that it has bug #326 fixed.
================================================
Cyrus-sasl library is used on applications such as
Cyrus Imapd
OpenLDAP
Sendmail
and perhaps others.
If you do not want use beta version, you may fix that yourself.
For example something like
--- lib/common.c.orig Maanantai Heinäkuu 17 20:21:02 2000
+++ lib/common.c Tiistai Lokakuu 2 12:31:13 2001
@@ -596,7 +596,9 @@
}
/* do the syslog call. do not need to call openlog */
- syslog(syslog_priority | LOG_AUTH, message);
+
+ /* Patched by Kari Hurtta -- 2001-10-02 */
+ syslog(syslog_priority | LOG_AUTH, "%s", message);
return SASL_OK;
}
Generally cyrus plugins does not log useraname or similar data to log,
but there is at least one plugin which seems indirectly call that
function with user supplied data. You may also want check if there is
bad data logged in case of protocoll errors.
I should add that author does not believe that to be exploitable.
================================================
From: Lawrence Greenfield
Date: Sun, 30 Sep 2001 10:12:19 -0400
You'll notice that _sasl_syslog() is called only from _sasl_log(),
which does the format expansion itself. I agree that the above is
poor programming (which is why it was fixed) but doesn't appear to be
exploitable (which is why I didn't rush out to release another libsasl
version).
================================================
My opinion is that it does not matter if _sasl_log()
does formatting. Call is something like
log_helper_function("some text %s more text",user_data);
where user_data is passed from somewhere, and includes user suplied data.
_sasl_log() will produce from that string like
some text attack here more text
which is passed to syslog as format string. Data from user_data
("attack here") may include format arguments. Therefor formating done by
_sasl_log() does not matter. _sasl_log() perhaps truncates data from
user_data, but I do not think that it matters.
If you search that bugid
http://bugzilla.andrew.cmu.edu/show_bug.cgi?id=326
you notice that that bug is reported and fixed about one year ago.
So perhaps you have already hear about that...
--
/"\ | Kari
\ / ASCII Ribbon Campaign | Hurtta
X Against HTML Mail |
/ \ |
