linux, säkerhet

8547981 2002-06-04 12:45 -0400  /75 rader/ zillion <zillion@snosoft.com>
Sänt av: joel@lysator.liu.se
Importerad: 2002-06-04  21:59  av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Extern kopiemottagare: vuln-dev@securityfocus.com
Mottagare: Bugtraq (import) <22502>
Ärende: SRT Security Advisory (SRT2002-06-04-1011): slurp
------------------------------------------------------------
From: zillion <zillion@snosoft.com>
To: <bugtraq@securityfocus.com>
Cc: <vuln-dev@securityfocus.com>
Message-ID: <20020604124231.L71014-100000@mail.snosoft.com>

======================================================================

Strategic Reconnaissance Team Security Advisory (SRT2002-06-04-1011)

Topic  : Slurp news retriever remote format string vulnerability
Date   : June 04, 2002
Credit : zillion[at]safemode.org
Site   : http://www.snosoft.com

======================================================================

.: Description:
---------------

 Slurp is an advanced passive NNTP client for UNIX. It will connect
 to a remote NNTP server and retrieve articles in a specified set of
 Usenet newsgroups that have arrived after a particular date
 (typically the last time it was invoked) for processing by your
 local news system or forwarding on via UUCP to another news
 system. It replaces nntpxfer from the NNTP 1.5.12 reference
 implementation and nntpget from the INN distribution.

 This application insecurely syslogs error messages retrieved from
 the NNTP server to which it is connected. The responsible code that
 causes this security issue:

 log_doit (int sysflag, const char *fmt, va_list ap)
        {

        ...snip snip...

 #ifdef SYSLOG
                if (!debug_flag)
                        syslog (LOG_ERR, buf);
        ...snip snip...

        }

 The FreeBSD port of this application was compiled with syslog and is
 therefor affected. This format string can easily be triggered. To
 find out you have a vulnerable slurp, connect to this:

 perl -e 'print "200 Hello brother \n666 %x%x%x\n'" | nc -l -p 119

 Then check /var/log/messages for something like:

 Jun  5 05:10:22 yada slurp[39926]: do_newnews: NNTP protocol error:
 got '666 bfbff4f8804bc1bbfbff51c'

.: Impact:
----------
 Malicious server owners can use this vulnerability to execute code
 on affected systems.

.: Systems Affected:
--------------------

 Systems running slurp version 1.1.0 are known to be affected by this
 vulnerability.

Cheers,

zillion
(8547981) /zillion <zillion@snosoft.com>/-(Ombruten)
Kommentar i text 8547986 av Exportören