![[LWN Logo]](/images/lcorner.png) |
|
![[LWN.net]](/images/Included.png) |
From: Flavio Veloso <flaviovs@magnux.com>
To: BUGTRAQ Mailing List <bugtraq@securityfocus.com>
Subject: Re: [CERT-intexxia] libgtop_daemon Remote Format String Vulnerability
Date: Wed, 28 Nov 2001 08:52:27 -0200 (BRST)
On Tue, 27 Nov 2001, Benoît Roussel wrote:
> ________________________________________________________________________
> SECURITY ADVISORY INTEXXIA(c)
> 27 11 2001 ID #1048-261101
> ________________________________________________________________________
> TITLE : libgtop_daemon Remote Format String Vulnerability
> CREDITS : Guillaume Pelat / INTEXXIA
> ________________________________________________________________________
>
>
> SYSTEM AFFECTED
> ===============
>
> libgtop_daemon <= 1.0.12
When investigating this issue I noticed another big security hole in
the daemon. It's a buffer overflow in the same permitted() function,
which may allow the client to execute code on the server. Here's the
code:
permitted (u_long host_addr, int fd)
{
(...)
char buf[1024];
int auth_data_len;
(...)
if (timed_read (fd, buf, 10, AUTH_TIMEOUT, 1) <= 0)
return FALSE;
auth_data_len = atoi (buf);
if (timed_read (fd, buf, auth_data_len, AUTH_TIMEOUT, 0) != auth_data_le
n)
return FALSE;
Here you can see the bug in action:
$ perl -e 'print "MAGIC-1\0\0\0\0\0\0\0\0". "2000\0\0\0\0\0\0". ("A"x2000)' | \
nc localhost 42800
The GNOME folks and vendors were already notified. Since this bug is
too obvious to a casual reviewer of the flaw reported by INTEXXIA, and
since a patch is also available (see below), we are treating it as
already disclosed.
Here goes the patch. It should be applied against 1.0.13 (released on
2001-11-27). Notice that this new version _already_ fixed the format
bug, but _not_ the buffer overflow. You should apply the patch or wait
for 1.0.14.
diff -Nru libgtop-1.0.13.orig/src/daemon/gnuserv.c libgtop-1.0.13/src/daemon/gnuserv.c
--- libgtop-1.0.13.orig/src/daemon/gnuserv.c Mon Nov 26 20:37:59 2001
+++ libgtop-1.0.13/src/daemon/gnuserv.c Tue Nov 27 09:16:16 2001
@@ -200,6 +200,12 @@
auth_data_len = atoi (buf);
+ if (auth_data_len < 1 || auth_data_len > sizeof(buf)) {
+ syslog_message(LOG_WARNING,
+ "Invalid data length supplied by client");
+ return FALSE;
+ }
+
if (timed_read (fd, buf, auth_data_len, AUTH_TIMEOUT, 0) != auth_data_len)
return FALSE;
--
Flávio