BugTraq
Back to list
|
Post reply
Re: zkfingerd-2.0.2(the last version)Format String Vulnerabilities
Jul 08 2003 10:42PM
Vade 79 (v9 fakehalo deadpig org)
In-Reply-To: <20030708063317.8474.qmail (at) www.securityfocus (dot) com [email concealed]>
went through the zkfingerd-2.0.2 source after reading this. curious on
exploitation :)... anyways, i am not seeing anywheres in the source where
the "msg" buffer can allow for direct user input(formats). only static
data/proper formats(including ones that look bad, but still are just
static data in a buffer). in all the die(), warn(), and putlog()
functions, which use the _fingerd_error() function.
maybe i am just not seeing it? but, i looked a couple times. inform me
if i am misinformed about it. :/
Vade79 -> fakehalo.deadpig.org -> fakehalo.
>Received: (qmail 26972 invoked from network); 8 Jul 2003 19:44:25 -0000
>Received: from outgoing2.securityfocus.com (205.206.231.26)
> by mail.securityfocus.com with SMTP; 8 Jul 2003 19:44:25 -0000
>Received: from lists.securityfocus.com (lists.securityfocus.com
[205.206.231.19])
> by outgoing2.securityfocus.com (Postfix) with QMQP
> id 3C3C88F6CB; Tue, 8 Jul 2003 13:43:46 -0600 (MDT)
>Mailing-List: contact bugtraq-help (at) securityfocus (dot) com [email concealed]; run by ezmlm
>Precedence: bulk
>List-Id: <bugtraq.list-id.securityfocus.com>
>List-Post: <mailto:bugtraq (at) securityfocus (dot) com [email concealed]>
>List-Help: <mailto:bugtraq-help (at) securityfocus (dot) com [email concealed]>
>List-Unsubscribe: <mailto:bugtraq-unsubscribe (at) securityfocus (dot) com [email concealed]>
>List-Subscribe: <mailto:bugtraq-subscribe (at) securityfocus (dot) com [email concealed]>
>Delivered-To: mailing list bugtraq (at) securityfocus (dot) com [email concealed]
>Delivered-To: moderator for bugtraq (at) securityfocus (dot) com [email concealed]
>Received: (qmail 3468 invoked from network); 8 Jul 2003 06:34:56 -0000
>Date: 8 Jul 2003 06:33:17 -0000
>Message-ID: <20030708063317.8474.qmail (at) www.securityfocus (dot) com [email concealed]>
>Content-Type: text/plain
>Content-Disposition: inline
>Content-Transfer-Encoding: binary
>MIME-Version: 1.0
>X-Mailer: MIME-tools 5.411 (Entity 5.404)
>From: yan feng <jsk (at) ph4nt0m (dot) net [email concealed]>
>To: bugtraq (at) securityfocus (dot) com [email concealed]
>Subject: zkfingerd-2.0.2(the last version)Format String Vulnerabilities
>
>
>
> ========================================
> Ph4nt0m Security Advisory 2#2003--7-7
> ========================================
> Title: zkfingerd-2.0.2(the last version)Format String Vulnerabilities
>
> Advisory Number : SRT2003-7-7-002
> Product : zkfingerd
> Version : 2.0.2 (possibility All versions )
> Vendor : http://sourceforge.net/projects/zkfingerd
> Class : Local&remote
> Criticality : high
> Operating System(s) : *nix
>
>
>
>***********************************************************************
***
*
>**
> high Level Description : Format String Vulnerabilities in syslog()
>fprintf()
>
>
>***********************************************************************
***
*
>**
>
> Technical Details
> ************************************************************************
> zkfingerd-r3-0.9 could be remote exploitable,the last versions 2.0.2
also
>has a bug for Format String Vulnerabilities
> code find in src/die.c(_finger_error):107
> .........................................
>_finger_error(int options, char *function, char *file,
> int line, char *msg, ...)
>{
> va_list ap;
>
> va_start(ap, msg);
>
> chomp(msg);
>
>#ifdef DEBUG
> if(options & DEBUG_ERROR)
> fprintf(stdout, "DBG %s:%s:%d: ", function, file, line);
> else
>#endif
> if(!(options & QUIET_ERROR))
> fprintf(stdout, "< ");
>
> if(strchr(msg, '%') != NULL && !ap)
> {
> if(!(options & QUIET_ERROR))
> fprintf(stdout, msg); .....................point
>(msg could be provided by us)
>#ifndef NO_SYSLOG
> syslog(LOG_CRIT,
>msg); .............................possibile
>#endif
> }
> else
> {
> if(!(options & QUIET_ERROR))
> vfprintf(stdout, msg, ap);
>
>#ifndef NO_SYSLOG
> vsyslog(LOG_CRIT, msg, ap);
>#endif
> }
>
> if(!(options & QUIET_ERROR))
> {
>#ifdef DEBUG
> fprintf(stdout, "%s\r\n",
> (!(options & DEBUG_ERROR)) ? " >" : "");
>#else
> fprintf(stdout, " >\r\n");
>#endif
> }
>
> va_end(ap);
>
> fflush(stdout);
>
> if(options & FATAL_ERROR)
> exit(1);
>
> return;
>}
>
>
>so It is possible to corrupt memory by passing format strings through
the
>vulnerable function. This may potentially be exploited to overwrite
>arbitrary locations in memory with attacker-specified values.
>
>
>I am studying codes ,i will prodive how to attack &exploit......
>
>
>
>.......................................................................
...
.
>......................
>
>***********************************************************************
***
*
>**********************
>By "jsk" (akun), in ph4nt0m.net(c) Security.
>
>E-mail:jsk (at) ph4nt0m (dot) net [email concealed]
>
>ph4nt0m Security Home: http://www.ph4nt0m.net
>My World: http://jsk.njsafe.com
>My GnuPG Public Key:http://202.119.104.82/webeq/app/jsk/jsk.asc
>
[ reply ]
Privacy Statement
Copyright 2010, SecurityFocus
went through the zkfingerd-2.0.2 source after reading this. curious on
exploitation :)... anyways, i am not seeing anywheres in the source where
the "msg" buffer can allow for direct user input(formats). only static
data/proper formats(including ones that look bad, but still are just
static data in a buffer). in all the die(), warn(), and putlog()
functions, which use the _fingerd_error() function.
maybe i am just not seeing it? but, i looked a couple times. inform me
if i am misinformed about it. :/
Vade79 -> fakehalo.deadpig.org -> fakehalo.
>Received: (qmail 26972 invoked from network); 8 Jul 2003 19:44:25 -0000
>Received: from outgoing2.securityfocus.com (205.206.231.26)
> by mail.securityfocus.com with SMTP; 8 Jul 2003 19:44:25 -0000
>Received: from lists.securityfocus.com (lists.securityfocus.com
[205.206.231.19])
> by outgoing2.securityfocus.com (Postfix) with QMQP
> id 3C3C88F6CB; Tue, 8 Jul 2003 13:43:46 -0600 (MDT)
>Mailing-List: contact bugtraq-help (at) securityfocus (dot) com [email concealed]; run by ezmlm
>Precedence: bulk
>List-Id: <bugtraq.list-id.securityfocus.com>
>List-Post: <mailto:bugtraq (at) securityfocus (dot) com [email concealed]>
>List-Help: <mailto:bugtraq-help (at) securityfocus (dot) com [email concealed]>
>List-Unsubscribe: <mailto:bugtraq-unsubscribe (at) securityfocus (dot) com [email concealed]>
>List-Subscribe: <mailto:bugtraq-subscribe (at) securityfocus (dot) com [email concealed]>
>Delivered-To: mailing list bugtraq (at) securityfocus (dot) com [email concealed]
>Delivered-To: moderator for bugtraq (at) securityfocus (dot) com [email concealed]
>Received: (qmail 3468 invoked from network); 8 Jul 2003 06:34:56 -0000
>Date: 8 Jul 2003 06:33:17 -0000
>Message-ID: <20030708063317.8474.qmail (at) www.securityfocus (dot) com [email concealed]>
>Content-Type: text/plain
>Content-Disposition: inline
>Content-Transfer-Encoding: binary
>MIME-Version: 1.0
>X-Mailer: MIME-tools 5.411 (Entity 5.404)
>From: yan feng <jsk (at) ph4nt0m (dot) net [email concealed]>
>To: bugtraq (at) securityfocus (dot) com [email concealed]
>Subject: zkfingerd-2.0.2(the last version)Format String Vulnerabilities
>
>
>
> ========================================
> Ph4nt0m Security Advisory 2#2003--7-7
> ========================================
> Title: zkfingerd-2.0.2(the last version)Format String Vulnerabilities
>
> Advisory Number : SRT2003-7-7-002
> Product : zkfingerd
> Version : 2.0.2 (possibility All versions )
> Vendor : http://sourceforge.net/projects/zkfingerd
> Class : Local&remote
> Criticality : high
> Operating System(s) : *nix
>
>
>
>***********************************************************************
***
*
>**
> high Level Description : Format String Vulnerabilities in syslog()
>fprintf()
>
>
>***********************************************************************
***
*
>**
>
> Technical Details
> ************************************************************************
> zkfingerd-r3-0.9 could be remote exploitable,the last versions 2.0.2
also
>has a bug for Format String Vulnerabilities
> code find in src/die.c(_finger_error):107
> .........................................
>_finger_error(int options, char *function, char *file,
> int line, char *msg, ...)
>{
> va_list ap;
>
> va_start(ap, msg);
>
> chomp(msg);
>
>#ifdef DEBUG
> if(options & DEBUG_ERROR)
> fprintf(stdout, "DBG %s:%s:%d: ", function, file, line);
> else
>#endif
> if(!(options & QUIET_ERROR))
> fprintf(stdout, "< ");
>
> if(strchr(msg, '%') != NULL && !ap)
> {
> if(!(options & QUIET_ERROR))
> fprintf(stdout, msg); .....................point
>(msg could be provided by us)
>#ifndef NO_SYSLOG
> syslog(LOG_CRIT,
>msg); .............................possibile
>#endif
> }
> else
> {
> if(!(options & QUIET_ERROR))
> vfprintf(stdout, msg, ap);
>
>#ifndef NO_SYSLOG
> vsyslog(LOG_CRIT, msg, ap);
>#endif
> }
>
> if(!(options & QUIET_ERROR))
> {
>#ifdef DEBUG
> fprintf(stdout, "%s\r\n",
> (!(options & DEBUG_ERROR)) ? " >" : "");
>#else
> fprintf(stdout, " >\r\n");
>#endif
> }
>
> va_end(ap);
>
> fflush(stdout);
>
> if(options & FATAL_ERROR)
> exit(1);
>
> return;
>}
>
>
>so It is possible to corrupt memory by passing format strings through
the
>vulnerable function. This may potentially be exploited to overwrite
>arbitrary locations in memory with attacker-specified values.
>
>
>I am studying codes ,i will prodive how to attack &exploit......
>
>
>
>.......................................................................
...
.
>......................
>
>***********************************************************************
***
*
>**********************
>By "jsk" (akun), in ph4nt0m.net(c) Security.
>
>E-mail:jsk (at) ph4nt0m (dot) net [email concealed]
>
>ph4nt0m Security Home: http://www.ph4nt0m.net
>My World: http://jsk.njsafe.com
>My GnuPG Public Key:http://202.119.104.82/webeq/app/jsk/jsk.asc
>
[ reply ]