Bug#714617: Lingot: several vulnerabilities
Hi, The patch is almost ready , Please review it and tell me about that. Thanks, Hamid Zamani lingot-0.9.1.patch Description: Binary data
Bug#714617: Lingot: several vulnerabilities
Yes , you are right , writing mistake . Ok , I'll submit patch soon. thanks Date: Mon, 1 Jul 2013 09:27:28 -0300 Subject: Re: Bug#714617: Lingot: several vulnerabilities From: xa...@evilgiggle.com To: m...@hamidx9.ir; 714...@bugs.debian.org; cont...@bugs.debian.org CC: sub...@bugs.debian.org severity 714617 normalthanks thank you for your report.the problems you identify are bugs, but I think 'critical' is far to high, there is no security risk as lingot runs unpriviledged, and most of the problems are only triggered by active action. I'm currently quite overwhelmed with real life so I won't have time to look at this before a while, if you want to submit a patch, I"ll be happy to review it and apply. thanks.
Bug#714617: Lingot: several vulnerabilities
Package: Lingot
version: 0.9.1-2
Severity: critical
Dear Maintainer,
Several vulnerabilites was found in the latest version of lingot as explained
further below :
[1] :: [File] => lingot-config.c , [Lines] 192 ~ 197 :
if ((fp = fopen(filename, "w")) == NULL) {
char buff[100]; // <= if i select a filename larger than [100 - 26] and
lead the program to here, program will crash.
sprintf(buff, "error saving config file %s ", filename);
perror(buff);
return;
}
##
[2] :: [File] => lingot.c , [Lines] 41 , 85 ~ 86 , 108 ~ 109 , 127 ~ 131 :
41 : char CONFIG_FILE_NAME[100];
85 ~ 86 :
sprintf(CONFIG_FILE_NAME, "%s/" CONFIG_DIR_NAME DEFAULT_CONFIG_FILE_NAME,
getenv("HOME"));
108 ~ 109 :
sprintf(CONFIG_FILE_NAME, "%s/%s%s.conf", getenv("HOME"),
CONFIG_DIR_NAME, optarg);
127 ~ 131 :
char config_dir[100];
sprintf(config_dir, "%s/.lingot/", getenv("HOME"));
printf("creating directory %s ...\n", config_dir);
mkdir(config_dir, 0777); // creo el directorio.
printf("creating file %s ...\n", CONFIG_FILE_NAME);
if i change $HOME to a larger one , Lingot will crash here .
##
[3] :: [File] => lingot-config.h , [Lines] 41 ~ :
41 :
struct _LingotConfig {
audio_system_t audio_system;
char audio_dev[3][80]; // <= !!!
...
at this section if i manually set
AUDIO_DEV_ALSA = plguhw:0 = > AUDIO_DEV_ALSA =
plguhw...AA:0
program crashes here.
##
[4] :: [File] => lingot-config.h , [Lines] ?? :
251 : void lingot_config_load(LingotConfig* config, char* filename) {
273 ~ 283 :
# define MAX_LINE_SIZE 100
char char_buffer[MAX_LINE_SIZE];
if ((fp = fopen(filename, "r")) == NULL) {
sprintf(char_buffer,
"error opening config file %s, assuming default values ",
filename); // <= !!!
perror(char_buffer);
return;
}
and because of MAX_LINE_SIZE if i select a larger filename , program crashes
here .
also is in 192 ~ 197 !
##
If i can help in the fixing process please let me know.
Thank you,
Hamid Zamani
Bug#714612: yardradius: Multiple Format String Vulnerabilities
> Date: Mon, 1 Jul 2013 12:31:46 +0200 > From: fran...@debian.org > To: m...@hamidx9.ir; 714...@bugs.debian.org > CC: sub...@bugs.debian.org > Subject: Re: Bug#714612: yardradius: Multiple Format String Vulnerabilities > > Hi, thanks for your report. While the next issue can be easily exploited, > the previous one is not evident for me: it depends on the args use > at every single call. Are you suggesting of checking each call to see > if it is exploitable? No, i almost checked all calls , but at the use of functions like syslog,vsyslog,snprintf, vfprintf since you have used buffer in log_msg() and we don't know its content (maybe %x , %n) and then used by vsnprintf , it is highly recommended to use a "format string" to block the way of exploiting by an attacker. so for ex. instead of : #if defined(HAVE_SYSLOG) syslog(priority, buffer); i should use : #if defined(HAVE_SYSLOG) syslog(priority, "%s", buffer); also in other function that i mentioned above , use an exact format string is recomended. thanks for your response, Hamid Zamani
Bug#714612: yardradius: Multiple Format String Vulnerabilities
Package: yardradius
Version: 1.1.2-4
Severity: critical ( security)
Dear Maintainer,
Several Format String vulnerabilities was found in the latest `yardradius`
version as explained further below :
src/log.c :
void
log_msg(int priority,char *fmt, va_list args)
{
...
char buffer[1024];
...
vfprintf(msgfd, fmt, args);
...
vsnprintf(buffer,1024,fmt, args);
#if defined(HAVE_SYSLOG)
syslog(priority, buffer);
...
vsyslog(priority, fmt, args);
...
}
So an attacker can fill fmt by for ex. "%x" and see the addressess.
src/version.c :
#define STRVER "%s : YARD Radius Server %s ... $ "
void
version(void)
{
char buffer[1024];
build_version(buffer,sizeof(buffer));
fprintf(stderr, buffer);
exit(-1);
}
...
void
build_version(char *bp,size_t sizeofbp)
{
snprintf(bp,sizeofbp-1,STRVER, progname, VERSION);
..
$ ln -s radiusd %x
$ ./%x -v
./b77c0ff4 : YARD Radius Server 1.1 ...
It seems more of this type vulnerability exists in the source
if i find any other bug i will file them ...
if i can help in patching or anything , please let me know
Thank you
Hamid Zamani
-- System Information:
Debian Release: Kali Linux 1.0
Architecture: i386 (i686)
Kernel: Linux 3.7-trunk-686-pae (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages yardradius depends on:
ii libc6 2.13-38
ii libgdbm31.8.3-11
ii libpam-runtime 1.1.3-7.1
ii libpam0g1.1.3-7.1
yardradius recommends no packages.
yardradius suggests no packages.
-- no debconf information
