107332 2003-07-08 22:36 /113 rader/ yan feng <jsk@ph4nt0m.net>
Importerad: 2003-07-08 22:36 av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <5455>
Ärende: zkfingerd-2.0.2(the last version)Format String Vulnerabilities
------------------------------------------------------------
========================================
Ph4nt0m Security Advisory 2#2003--7-7
========================================
Title: zkfingerd-2.0.2(the last version)Format String Vulnerabilities
Advisory Number : SRT2003-7-7-002
Product : zkfingerd
Version : 2.0.2 (possibility All versions )
Vendor : http://sourceforge.net/projects/zkfingerd
Class : Local&remote
Criticality : high
Operating System(s) : *nix
***************************************************************************
**
high Level Description : Format String Vulnerabilities in syslog()
fprintf()
***************************************************************************
**
Technical Details
************************************************************************
zkfingerd-r3-0.9 could be remote exploitable,the last versions 2.0.2 also
has a bug for Format String Vulnerabilities
code find in src/die.c(_finger_error):107
.........................................
_finger_error(int options, char *function, char *file,
int line, char *msg, ...)
{
va_list ap;
va_start(ap, msg);
chomp(msg);
#ifdef DEBUG
if(options & DEBUG_ERROR)
fprintf(stdout, "DBG %s:%s:%d: ", function, file, line);
else
#endif
if(!(options & QUIET_ERROR))
fprintf(stdout, "< ");
if(strchr(msg, '%') != NULL && !ap)
{
if(!(options & QUIET_ERROR))
fprintf(stdout, msg); .....................point
(msg could be provided by us)
#ifndef NO_SYSLOG
syslog(LOG_CRIT,
msg); .............................possibile
#endif
}
else
{
if(!(options & QUIET_ERROR))
vfprintf(stdout, msg, ap);
#ifndef NO_SYSLOG
vsyslog(LOG_CRIT, msg, ap);
#endif
}
if(!(options & QUIET_ERROR))
{
#ifdef DEBUG
fprintf(stdout, "%s\r\n",
(!(options & DEBUG_ERROR)) ? " >" : "");
#else
fprintf(stdout, " >\r\n");
#endif
}
va_end(ap);
fflush(stdout);
if(options & FATAL_ERROR)
exit(1);
return;
}
so It is possible to corrupt memory by passing format strings
through the vulnerable function. This may potentially be exploited
to overwrite arbitrary locations in memory with attacker-specified
values.
I am studying codes ,i will prodive how to attack &exploit......
...........................................................................
......................
***************************************************************************
********************** By "jsk" (akun), in ph4nt0m.net(c) Security.
E-mail:jsk@ph4nt0m.net
ph4nt0m Security Home: http://www.ph4nt0m.net
My World: http://jsk.njsafe.com
My GnuPG Public Key:http://202.119.104.82/webeq/app/jsk/jsk.asc
(107332) /yan feng <jsk@ph4nt0m.net>/-----(Ombruten)
107389 2003-07-09 19:03 /164 rader/ Vade 79 <v9@fakehalo.deadpig.org>
Importerad: 2003-07-09 19:03 av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <5475>
Ärende: Re: zkfingerd-2.0.2(the last version)Format String Vulnerabilities
------------------------------------------------------------
In-Reply-To: <20030708063317.8474.qmail@www.securityfocus.com>
went through the zkfingerd-2.0.2 source after reading this. curious
on exploitation :)... anyways, i am not seeing anywheres in the
source where the "msg" buffer can allow for direct user
input(formats). only static data/proper formats(including ones that
look bad, but still are just static data in a buffer). in all the
die(), warn(), and putlog() functions, which use the
_fingerd_error() function.
maybe i am just not seeing it? but, i looked a couple times. inform
me if i am misinformed about it. :/
Vade79 -> fakehalo.deadpig.org -> fakehalo.
>Received: (qmail 26972 invoked from network); 8 Jul 2003 19:44:25 -0000
>Received: from outgoing2.securityfocus.com (205.206.231.26)
> by mail.securityfocus.com with SMTP; 8 Jul 2003 19:44:25 -0000
>Received: from lists.securityfocus.com (lists.securityfocus.com
[205.206.231.19])
> by outgoing2.securityfocus.com (Postfix) with QMQP
> id 3C3C88F6CB; Tue, 8 Jul 2003 13:43:46 -0600 (MDT)
>Mailing-List: contact bugtraq-help@securityfocus.com; run by ezmlm
>Precedence: bulk
>List-Id: <bugtraq.list-id.securityfocus.com>
>List-Post: <mailto:bugtraq@securityfocus.com>
>List-Help: <mailto:bugtraq-help@securityfocus.com>
>List-Unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
>List-Subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
>Delivered-To: mailing list bugtraq@securityfocus.com
>Delivered-To: moderator for bugtraq@securityfocus.com
>Received: (qmail 3468 invoked from network); 8 Jul 2003 06:34:56 -0000
>Date: 8 Jul 2003 06:33:17 -0000
>Message-ID: <20030708063317.8474.qmail@www.securityfocus.com>
>Content-Type: text/plain
>Content-Disposition: inline
>Content-Transfer-Encoding: binary
>MIME-Version: 1.0
>X-Mailer: MIME-tools 5.411 (Entity 5.404)
>From: yan feng <jsk@ph4nt0m.net>
>To: bugtraq@securityfocus.com
>Subject: zkfingerd-2.0.2(the last version)Format String Vulnerabilities
>
>
>
> ========================================
> Ph4nt0m Security Advisory 2#2003--7-7
> ========================================
> Title: zkfingerd-2.0.2(the last version)Format String Vulnerabilities
>
> Advisory Number : SRT2003-7-7-002
> Product : zkfingerd
> Version : 2.0.2 (possibility All versions )
> Vendor : http://sourceforge.net/projects/zkfingerd
> Class : Local&remote
> Criticality : high
> Operating System(s) : *nix
>
>
>
>**************************************************************************
*
>**
> high Level Description : Format String Vulnerabilities in syslog()
>fprintf()
>
>
>**************************************************************************
*
>**
>
> Technical Details
> ************************************************************************
> zkfingerd-r3-0.9 could be remote exploitable,the last versions 2.0.2
also
>has a bug for Format String Vulnerabilities
> code find in src/die.c(_finger_error):107
> .........................................
>_finger_error(int options, char *function, char *file,
> int line, char *msg, ...)
>{
> va_list ap;
>
> va_start(ap, msg);
>
> chomp(msg);
>
>#ifdef DEBUG
> if(options & DEBUG_ERROR)
> fprintf(stdout, "DBG %s:%s:%d: ", function, file, line);
> else
>#endif
> if(!(options & QUIET_ERROR))
> fprintf(stdout, "< ");
>
> if(strchr(msg, '%') != NULL && !ap)
> {
> if(!(options & QUIET_ERROR))
> fprintf(stdout, msg); .....................point
>(msg could be provided by us)
>#ifndef NO_SYSLOG
> syslog(LOG_CRIT,
>msg); .............................possibile
>#endif
> }
> else
> {
> if(!(options & QUIET_ERROR))
> vfprintf(stdout, msg, ap);
>
>#ifndef NO_SYSLOG
> vsyslog(LOG_CRIT, msg, ap);
>#endif
> }
>
> if(!(options & QUIET_ERROR))
> {
>#ifdef DEBUG
> fprintf(stdout, "%s\r\n",
> (!(options & DEBUG_ERROR)) ? " >" : "");
>#else
> fprintf(stdout, " >\r\n");
>#endif
> }
>
> va_end(ap);
>
> fflush(stdout);
>
> if(options & FATAL_ERROR)
> exit(1);
>
> return;
>}
>
>
>so It is possible to corrupt memory by passing format strings through
the
>vulnerable function. This may potentially be exploited to overwrite
>arbitrary locations in memory with attacker-specified values.
>
>
>I am studying codes ,i will prodive how to attack &exploit......
>
>
>
>..........................................................................
.
>......................
>
>**************************************************************************
*
>**********************
>By "jsk" (akun), in ph4nt0m.net(c) Security.
>
>E-mail:jsk@ph4nt0m.net
>
>ph4nt0m Security Home: http://www.ph4nt0m.net
>My World: http://jsk.njsafe.com
>My GnuPG Public Key:http://202.119.104.82/webeq/app/jsk/jsk.asc
>
(107389) /Vade 79 <v9@fakehalo.deadpig.org>/(Ombruten)