5513366 2000-09-26 07:51 /115 rader/ Brevbäraren (som är implementerad i) Python Mottagare: Bugtraq (import) <12942> Ärende: Format strings: bug #2: LPRng ------------------------------------------------------------ From: Chris Evans <chris@SCARY.BEASTS.ORG> To: BUGTRAQ@SECURITYFOCUS.COM Message-ID: <Pine.LNX.4.21.0009252359560.25714-100000@ferret.lmh.ox.ac.uk> Hi, SUMMARY ------- LPRng is almost certainly vulnerable to remote-root compromise on account of a format string bug. The flaw is almost identical to the rpc.statd one I found; namely a faulty syslog() wrapper. This is becoming a very common flaw. Details ------- Here is a code excerpt from: /LPRng-3.6.22/src/common/errormsg.c, use_syslog() --- static void use_syslog(int kind, char *msg) ... # ifdef HAVE_OPENLOG /* use the openlog facility */ openlog(Name, LOG_PID | LOG_NOWAIT, SYSLOG_FACILITY ); syslog(kind, msg); closelog(); # else (void) syslog(SYSLOG_FACILITY | kind, msg); # endif /* HAVE_OPENLOG */ ... --- Here we see two classic format string bugs. Both syslog() calls are missing a "%s" format string argument. But how exploitable is this? Does the daemon log any use supplied data? Let's do a test on the extremely recently released RedHat7.0, which has switched to LPRng. [chris@localhost chris]$ telnet localhost printer Trying 127.0.0.1... Connected to localhost.localdomain (127.0.0.1). Escape character is '^]'. Mary had a little lamb. Connection closed by foreign host. ... grep lamb /var/log/messages Sep 24 07:38:36 localhost SERVER[1282]: Dispatch_input: bad request line 'Mary had a little lamb.^M' ... Well, how obliging of (my particular version) of LPRng to log any input line I give it. Just to confirm %'s cause trouble: Client: [chris@localhost chris]$ telnet localhost printer Trying 127.0.0.1... Connected to localhost.localdomain (127.0.0.1). Escape character is '^]'. %s%s%s%s%s%s%s%s%s%s Server: Program received signal SIGSEGV, Segmentation fault. 0x400f7c66 in _IO_vfprintf (s=0x80c53a0, format=0xbffff190 "Dispatch_input: bad request line '%s%s%s%s%s%s%s%s%s%s^M'", ap=0xbfffed0c) at ../sysdeps/i386/i486/bits/string.h:529 (gdb) bt #0 0x400f7c66 in _IO_vfprintf (s=0x80c53a0, format=0xbffff190 "Dispatch_input: bad request line '%s%s%s%s%s%s%s%s%s%s^M'", ap=0xbfffed0c) at ../sysdeps/i386/i486/bits/string.h:529 #1 0x4017d60b in vsyslog (pri=6, fmt=0xbffff190 "Dispatch_input: bad request line '%s%s%s%s%s%s%s%s%s%s^M'", ap=0xbfffed08) at syslog.c:193 #2 0x4017d447 in syslog (pri=6, fmt=0xbffff190 "Dispatch_input: bad request line '%s%s%s%s%s%s%s%s%s%s^M'") at syslog.c:102 ... The program has root privs at this time; (gdb) print geteuid() $1 = 4 <-- initially encouraging (gdb) print getuid() $2 = 0 <-- depressing FIX --- - Add "%s" arguments to the syslog() calls - Firewall the printer port Exploit ------- Not my scene. I'm sure some friendly black hat will come out with one soon, though. Perhaps remembering to credit me this time? ;-) Cheers Chris (5513366) ------------------------------------------(Ombruten)