======================================== INetCop Security Advisory #2002-0x82-009 ======================================== * Title: Remote multiple vulnerability in apt-www-proxy. 0x01. Description __ bash$ lynx -dump http://ironsides.terrabox.com/~ahzz/apt-www-proxy/ apt-www-proxy apt-www-proxy is a proxy server designed specificly for apt-get http:// repositories. It gathers files that clients request, and then simultaneously retrieves, streams to client, and to local disk archive based on a set of archive mappings a lot like apt-proxy does. I decided to write this due to the unstable nature of apt-proxy. IMHO this is due to it being written in shell script. It's a good design, just was never implemented in the right kind of language. [1]apt-www-proxy 0.1 - accepts clients and automaticly says "not found". nifty eh? 8-P And of course, who would be without the [2]latest snapshot! Back to my [3]homepage! References 1. http://ironsides.terrabox.com/~ahzz/apt-www-proxy/apt-www-proxy-0.1.tar.gz 2. http://ironsides.terrabox.com/~ahzz/apt-www-proxy/latest-AWP.tar.bz2 3. http://ironsides.terrabox.com/~ahzz/index.html bash$ -- OK, Let's analyze. Examine syslog() function first. There is awp_log() function to 173 lines of 'src/utils.c' code. __ 173 void awp_log(int level, const char *message) ... 222 if((level < LOG_DEBUG) || (1 == logit)) 224 /* log that information */ 227 syslog(level, message); // Here. ... -- It's very bad state. awp_log() function is used as follows. Format string bug happens by setting file error log. Let's find awp_log() function in 'apt-www-proxy.c' code. __ 47 awp_log(LOG_DATA, errlog); 78 awp_log(LOG_DATA, errlog); 93 awp_log(LOG_DATA, errlog); 130 awp_log(LOG_DATA, errlog); 146 awp_log(LOG_DATA, errlog); 157 awp_log(LOG_GEN, errlog); 287 awp_log(LOG_NOTICE, errlog); 500 awp_log(LOG_NOTICE,errlog); 510 awp_log(LOG_CRIT, errlog); 527 awp_log(LOG_ERR, errlog); 538 awp_log(LOG_INFO, errlog); 546 awp_log(LOG_NOTICE, errlog); 554 awp_log(LOG_NOTICE, errlog); 560 awp_log(LOG_NOTICE, errlog); 572 awp_log(LOG_NOTICE, errlog); -- Second, examine remote DoS vulnerability. We read 'utils.c' code again. __ 260 int parse_get(struct client * client) ... 268 /* now match against the archives */ 269 if(!strncmp("http://";, client->get, 7)) // Here. 270 { 271 /* AHHA! It's a full URL. */ -- If 'client->get' value is NULL, strncmp() function segfault happens crash. Program function execution structure is as following. ---------------------------------------------------------------------- main()->main_loop()->process_cli()->parse_get()->strncmp()->'segfault' ---------------------------------------------------------------------- 0x02. Vulnerable Packages Vendor site: http://ironsides.terrabox.com/~ahzz/apt-www-proxy/ apt-www-proxy 0.1 -apt-www-proxy-0.1.tar.gz +Linux 0x03. Exploit Do you want exploit code? Very regrettable. :-( We don't want to compose DoS code. 0x04. Patch === utils.patch === --- utils.c Mon Oct 22 15:20:29 2001 +++ utils.patch.c Sat Nov 30 02:26:35 2002 @@ -224,11 +224,11 @@ /* log that information */ if(background) { - syslog(level, message); + syslog(level, "%s", message); } else { - fprintf(stderr, message); + fprintf(stderr, "%s", message); } } } @@ -265,6 +265,10 @@ struct urlmask *curu = urls; int found = 0; + if(client->get==NULL) + { + return(0); + } /* now match against the archives */ if(!strncmp("http://";, client->get, 7)) { === eof === P.S: Sorry, for my poor english. -- By "dong-houn yoU" (Xpl017Elz), in INetCop(c) Security. MSN & E-mail: szoahc(at)hotmail(dot)com, xploit(at)hackermail(dot)com INetCop Security Home: http://www.inetcop.org (Korean hacking game) My World: http://x82.i21c.net GPG public key: http://wizard.underattack.co.kr/~x82/h0me/pr0file/x82.k3y -- -- _______________________________________________ Get your free email from http://www.hackermail.com Powered by Outblaze
