zkfingerd Format String vulnerability
December 16th, 2002NGSSoftware Insight Security Research Advisory
Name: zkfingerd Format String vulnerability
Systems: zkfingerd version 0.9.1 and earlier
Severity: High Risk
Vendor URL: http://sourceforge.net/projects/zkfingerd
Author: David Litchfield (david@ngssoftware.com)
Advisory URL: http://www.ngssoftware.com/advisories/zkfingerd.txt
Date: 16th December 2002
Advisory number: #NISR16122002A
Description
***********
zkfingerd is an open-source replacement for standard finger daemons running on Linux systems. zkfingerd suffers from several format string vulnerabilities that, when exploited, can allow the remote execution of arbitrary code.
Details
*******
The first format string vulnerability can be found in the putlog() function of log.c. An unsafe call is made to the syslog() function.
..
syslog(LOG_INFO, c);
..
To make this safe a format string should be specified:
..
syslog(LOG_INFO,”%s”, c);
..
By fingering a “user” and designing a special format string as the user, it is possible to overwrite arbitray locations in memory with values supplied by an attacker using the %n specifier. This can lead to arbitrary code execution.
Further format string vulnerabilities, that all have the same root cause, are due to the say() function:
void
say(char *fmt, …)
{
va_list ap;
va_start(ap, fmt);
vprintf(fmt, ap);
va_end(ap);
printf(”\r\n”);
fflush(stdout);
return;
}
If, when say() is called, the first argument is not a format string but input a remote user can control then the vulnerability will manifest itself. One such place is in the file_list() function:
if(S_ISDIR(st.st_mode))
{
char *y, *z;
files++;
z = xmalloc(strlen(de->d_name) + 2);
strcpy(z, de->d_name);
strcat(z, “/”);
x = xmalloc(32 + strlen(de->d_name));
y = my_ctime(st.st_mtime);
sprintf(x, “\t%-12s\t%s\t– DIR –”, z, y);
say(x);
xfree(x);
xfree(y);
xfree(z);
continue;
}
In this case if the name of a directory contains an attacker supplied format string then it can overwrite arbitrary locations in memory with attacker supplied values.
Fix Information
***************
NGSSoftware alerted the author of zkfingerd with these problems on the 27th of November, 2002. The author responed quickly and made the relevant security fixes. Patched source code can be download from CVS @ Sourceforge.
http://cvs.sourceforge.net/cgi-bin/viewcvs.cgi/zkfingerd/zkfingerd/src/
A check for this issue has been added to Typhon III, NGSSoftware’s advanced vulnerability assessment tool, of which, more information is available at the NGSSite: http://www.ngssoftware.com/
For more information about format string vulnerabilities please read
http://www.nextgenss.com/papers/win32format.doc
http://julianor.tripod.com/usfs.html
About NGSSoftware
*****************
NGSSoftware design, research and develop intelligent, advanced application security assessment scanners. Based in the United Kingdom, NGSSoftware have offices in the South of London and the East Coast of Scotland. NGSSoftware’s sister company NGSConsulting, offers best of breed security consulting services, specialising in application, host and network security assessments.
http://www.ngssoftware.com/
http://www.ngsconsulting.com/
Telephone +44 208 401 0070
Fax +44 208 401 0076
enquiries@ngssoftware.com
