Date: Mon, 26 Nov 2001 08:09:57 +0100
From: =?iso-8859-1?Q?Beno=EEt_Roussel?= <benoit.roussel@intexxia.com>
To: bugtraq@securityfocus.com
Subject: [CERT-intexxia] Auto Nice Daemon Format String Vulnerability
Cc: CERT - INTEXXIA <cert@intexxia.com>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
________________________________________________________________________
SECURITY ADVISORY INTEXXIA(c)
26 11 2001 ID #1047-231101
________________________________________________________________________
TITLE : Auto Nice Daemon Format String Vulnerability
CREDITS : Guillaume Pelat / INTEXXIA
________________________________________________________________________
SYSTEM AFFECTED
===============
AND <= 1.0.4
________________________________________________________________________
DESCRIPTION
===========
Auto Nice Daemon is vulnerable to a format string bug that can be
exploited by a local user to gain higher privileges.
________________________________________________________________________
DETAILS
=======
AND (Auto Nice Daemon, http://and.sourceforge.net/) is a daemon
which allows to automatically change a user process if it uses too much
CPU time. It can also kill the process if it goes beyond a defined
level.
AND is vulnerable to a format string bug. A local user can exploit this
issue to gain higher privileges on the local system. He only need to run
a process with a name containing a format string, like '%n%n%n%n'.
The problem occurs when the program calls the syslog(3) function with
the process name as second parameter. As a user can create a process
named as he wants, it is easy to exploit this vulnerability.
Complete exploitation of this vulnerability can conduct to a privilege
escalation on the system. As the AND process runs as 'root', a local
user could execute arbitrary code with the 'root' privileges.
________________________________________________________________________
PROOF OF CONCEPT
================
It is simple to create a program using a lot of the CPU time
with a special name to exploit this bug :
% cat foo.c
int main()
{
while (1);
return 0;
}
% gcc foo.c -o %n%n%n%n
% ./%n%n%n%n
This causes a segmentation fault in the AND daemon.
________________________________________________________________________
SOLUTION
========
There is an official solution right now. It can be found on the
following web site. Update AND to the version 1.0.5 :
http://and.sourceforge.net
You can also apply the following patch which fixes the vulnerability :
diff -dru and-1.0.4/and.c and-1.0.4-patched/and.c
--- and-1.0.4/and.c Sat Jul 7 21:43:15 2001
+++ and-1.0.4-patched/and.c Fri Nov 23 11:50:27 2001
@@ -218,7 +218,7 @@
fflush(out);
} else {
/* write to syslog if in full operations */
- syslog(LOG_WARNING,buffer);
+ syslog(LOG_WARNING, "%s", buffer);
}
}
va_end(args);
________________________________________________________________________
VENDOR STATUS
=============
23-11-2001 : This bulletin was sent to AND developpers team.
23-11-2001 : Answer from AND developpers team with a fix.
________________________________________________________________________
CONTACT
=======
Laboratory intexxia cert@intexxia.com
INTEXXIA Standard : +33 1 55 69 49 10
171, av. Georges Clemenceau Fax : +33 1 55 69 78 80
92024 Nanterre Cedex
France
(c) Intexxia 2001, any copy of this file even partial is subject to a
preliminary agreement of Intexxia.
The opinions expressed in this file are not necessarily the opinion of
all Intexxia staff members.
-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 7.0.3 for non-commercial use <http://www.pgp.com>;
iQA/AwUBPAHqwk2N8BNyNDXLEQKf5gCfSb0109mCHTxulBKk9y+zG8XPTWUAnjo7
rcq5WXem5PEt6YbBPEyqQNyk
=ncTa
-----END PGP SIGNATURE-----
