Search: Home Bugtraq Vulnerabilities Mailing Lists Jobs Tools Beta Programs

FWTK x-gw Security Advisory [GSA2000-01]
gsa2000-01
Published: 2000-10-25 00:00:00
Updated: 2000-10-25 00:00:00

----------------- Original message (ID=C21DD231) (103 lines) ------------------
Return-Path: <owner-bugtraq@securityfocus.com>
Delivered-To: bugtraq@lists.securityfocus.com
Received: from securityfocus.com (mail.securityfocus.com [207.126.127.78])
        by lists.securityfocus.com (Postfix) with SMTP id 80D6A24C422
        for <bugtraq@lists.securityfocus.com>; Thu, 26 Oct 2000 04:55:42 -0700 (PDT)
Received: (qmail 12540 invoked by alias); 26 Oct 2000 11:57:55 -0000
Delivered-To: bugtraq@securityfocus.com
Received: (qmail 12537 invoked from network); 26 Oct 2000 11:57:55 -0000
Received: from anchor-post-34.mail.demon.net (194.217.242.92)
  by mail.securityfocus.com with SMTP; 26 Oct 2000 11:57:55 -0000
Received: from geekgang.demon.co.uk ([158.152.130.167] helo=geekgang.co.uk)
        by anchor-post-34.mail.demon.net with esmtp (Exim 2.12 #1)
        id 13oleT-000C3y-0Y
        for bugtraq@securityfocus.com; Thu, 26 Oct 2000 12:56:57 +0100
Message-ID: <39F80EB3.FA7EE71A@geekgang.co.uk>
Date: Thu, 26 Oct 2000 12:00:03 +0100
From: pre <pre@geekgang.co.uk>
X-Mailer: Mozilla 4.7 [en] (WinNT; I)
X-Accept-Language: en
MIME-Version: 1.0
To: bugtraq@securityfocus.com
Subject: FWTK x-gw Security Advisory [GSA2000-01]
Content-Type: text/plain; charset=iso-8859-1
Content-Transfer-Encoding: 8bit

              geekgang Security Advisory [gsa2000-01]

                        [www.geekgang.co.uk]
                       Copyright 2000 geekgang

ID:             geekgang GSA2000-01 01 v1.0
Topic:          FWTK x-gw format bug
Status:         Release 26th October, 2000
Author:         pre

Credit:         Pekka Savola found the potential problem in the code

[Abstract]
The x-gw (X Windows gateway) component of the TIS Firewall Toolkit
(FWTK) contains a format bug vulnerability that may be exploitable
within some installations, allowing users to execute arbitrary code.

[Description]
The FWTK contains a set of proxy applications that are designed to aid a

computing professional in building a firewall system. It is not a
complete firewall product within itself. As such it is impossible to
ascertain all the different configurations in which the various parts of

the FWTK have been installed.

The x-gw component is designed to proxy connections bewteen X Windows
clients and servers. It would normally be invoked via the tn-gw (Telnet
gateway) component of the FWTK. Installations using this tn-gw
invocation method of the x-gw are not vulnerable to this problem due to
pre-processing of input data that is performed by the tn-gw.
Installations using any other method to invoke the x-gw should check
their vulnerability status.

The x-gw takes the X Windows display to connect to as a command line
parameter or environment variable. It performs some sanity checking on
this input and reports an error if the checks fail. The function that
outputs the error message has a format bug, and uses the supplied
display string as part of the output.

The function at fault is pmsg() in the source file x-gw/pmsg.c

[Solution]
Patch:

--- x-gw/pmsg.c.orig Mon Oct 23 13:21:26 2000
+++ x-gw/pmsg.c Mon Oct 23 13:22:36 2000
@@ -37,9 +37,9 @@
  buf[sizeof(buf)-1] = '\0';
    }

-   if( uselog ) syslog( LLEV, buf );
+   if( uselog ) syslog( LLEV, "%s", buf );
    else {
-       fprintf( stderr, buf );
+       fprintf( stderr, "%s", buf );
        fflush(stderr);
    }
 }

[Exploit]
An exploit for this vulnerability will be made available on the geekgang

website.

[Disclaimer]
THE INFORMATION CONTAINED IN THIS ADVISORY IS BELIEVED TO BE ACCURATE ,
BUT NO REPRESENTATION OR WARRANTY IS GIVEN, EXPRESS OR IMPLIED, AS TO
ITS ACCURACY OR COMPLETENESS. NEITHER THE AUTHOR NOR THE PUBLISHER
ACCEPTS ANY LIABILITY WHATSOEVER FOR ANY DIRECT, INDIRECT OR
CONSEQUENTIAL LOSS OR DAMAGE ARISING IN ANY WAY FROM ANY USE OF, OR
RELIANCE PLACED ON, THIS INFORMATION FOR ANY PURPOSE. THIS ADVISORY MAY
BE REDISTRIBUTED PROVIDED THAT NO FEE IS ASSIGNED AND THAT THE ADVISORY
IS NOT MODIFIED IN ANY WAY.







 

Privacy Statement
Copyright 2008, SecurityFocus