Re: [CERT-intexxia] libgtop_daemon Remote Format String Vulnerability

Flavio Veloso <flaviovs@magnux.com> · Wed, 28 Nov 2001 08:52:27 -0200 (BRST)

On Tue, 27 Nov 2001, Benoît Roussel wrote:

> ________________________________________________________________________
> SECURITY ADVISORY                                            INTEXXIA(c)
> 27 11 2001                                               ID #1048-261101
> ________________________________________________________________________
> TITLE   : libgtop_daemon Remote Format String Vulnerability
> CREDITS : Guillaume Pelat / INTEXXIA
> ________________________________________________________________________
>
>
> SYSTEM AFFECTED
> ===============
>
>         libgtop_daemon <= 1.0.12

When investigating this issue I noticed another big security hole in
the daemon. It's a buffer overflow in the same permitted() function,
which may allow the client to execute code on the server. Here's the
code:

permitted (u_long host_addr, int fd)
{
(...)
    char buf[1024];
    int auth_data_len;
(...)
        if (timed_read (fd, buf, 10, AUTH_TIMEOUT, 1) <= 0)
            return FALSE;

        auth_data_len = atoi (buf);

        if (timed_read (fd, buf, auth_data_len, AUTH_TIMEOUT, 0) != auth_data_le
n)
            return FALSE;

Here you can see the bug in action:

$ perl -e 'print "MAGIC-1\0\0\0\0\0\0\0\0". "2000\0\0\0\0\0\0". ("A"x2000)' | \
   nc localhost 42800

The GNOME folks and vendors were already notified. Since this bug is
too obvious to a casual reviewer of the flaw reported by INTEXXIA, and
since a patch is also available (see below), we are treating it as
already disclosed.

Here goes the patch. It should be applied against 1.0.13 (released on
2001-11-27). Notice that this new version _already_ fixed the format
bug, but _not_ the buffer overflow. You should apply the patch or wait
for 1.0.14.

diff -Nru libgtop-1.0.13.orig/src/daemon/gnuserv.c libgtop-1.0.13/src/daemon/gnuserv.c

--- libgtop-1.0.13.orig/src/daemon/gnuserv.c	Mon Nov 26 20:37:59 2001
+++ libgtop-1.0.13/src/daemon/gnuserv.c	Tue Nov 27 09:16:16 2001
@@ -200,6 +200,12 @@

 	auth_data_len = atoi (buf);

+	if (auth_data_len < 1 || auth_data_len > sizeof(buf)) {
+	    syslog_message(LOG_WARNING,
+			   "Invalid data length supplied by client");
+	    return FALSE;
+	}
+
 	if (timed_read (fd, buf, auth_data_len, AUTH_TIMEOUT, 0) != auth_data_len)
 	    return FALSE;


-- 
Flávio







