By Jake Edge
February 1, 2012
A recent sudo
advisory described a "format string vulnerability" that could be used
for privilege escalation. Since sudo runs as setuid-root, that means that
it could potentially be used by a regular user—not just one listed in
the /etc/sudoers file—to compromise the system. As with
many security flaws, format string vulnerabilities are the result of
improper handling of user-supplied input. Given this latest report, it's
probably worth taking a look at how these kind of vulnerabilities come about.
For those who aren't C programmers, a little background may be in order. The
standard C library function for printing things to stdout is printf()—other
functions in the same family can be used to print to
stderr, character buffers, or other files.
That function
takes a string as its first argument which can contain special formatting
characters that describe the types of the rest of the arguments. For
example:
printf("hello, world\n");
printf("%s\n", "hello, world");
printf("%s, %s\n", "hello", "world");
would all print the canonical string to
stdout. The "
%s"
is the format specifier for a string, so the function expects the corresponding
argument to be a pointer to a null-terminated array of characters.
Members of the printf() family use the "varargs" (variable
arguments) facility of the C language to take an arbitrary number of
arguments. When the formatting string is parsed, values are popped off the
stack in the order they are listed. Those values are expected to be
there by the function, but, given the existing ABI, the compiler does not (in fact cannot) enforce
that they be placed there by caller. That's where the problem can occur.
In the easy case, compilers can and do warn when there is a mismatch between
the format string and arguments. A call like:
printf("hello, %s\n");
will cause a warning if the warning level is set high enough (like
-Wall for GCC). But those kinds of problems are relatively easily
found. A trickier problem occurs with something like:
printf(str);
which is perfectly legal as long as
str contains no formatting
characters. If it
does, however, the function will happily pop
things off the stack that don't correspond to the arguments in that
formatting string. For GCC, the
"
-Wformat -Wformat-nonliteral" flags can be used to detect
this kind of thing. In the "best" case, having format specifiers in
str will lead to a program crash,
in the worst, it could end up executing code. If
str comes from
user-supplied input, an attacker may be able to arrange just the right
formatting string to execute code of their choosing.
That may be bad enough for a program run as an unprivileged user (as the
attacker's code might be the equivalent of
"rm -rf $HOME"), but it is far worse if the program has
root privileges as sudo does. According to Wikipedia,
format string bugs were noted in 1990, but were not recognized as a
security problem until a researcher auditing proftpd reported a way to exploit the bug.
That exploit used the "%n" format, which stores the number of
characters printed so far to an integer pointer it pops off the stack. By
arranging just the right format string, the exploit would
overwrite the current user ID.
In the sudo case, the program name (which is stored in argv[0] for
C programs) was being printed as part of an error message. As the advisory
from the finder describes, the program name was "printed"
into a buffer (using a variant of sprintf()), and that buffer was
then handed off to a vfprintf() as the format string. That meant
that the user-controlled program name—which could certainly contain
format specifiers—was used as the format string for the
vfprintf().
The fix for sudo is to ensure that the program name is printed with a
"%s" specifier in the final print statement, rather than
building it into the earlier buffer.
How can the user control the program name, especially for a setuid binary
like sudo? That's not very hard either:
$ ln -s /usr/bin/sudo %n
The sudo advisory notes that building sudo with
-D_FORTIFY_SOURCE=2 will prevent these kinds of exploits, though
the advisory from the finder notes an article
in Phrack that may make it possible to bypass that protection.
The problem in sudo was
introduced relatively recently, for version 1.8.0 released at the end of
February 2011. It has now been fixed in 1.8.3p2 and affected distributions are
starting to get updates out. These kinds of bugs are yet another lesson
in the need for great care when handling user-controlled input.
Comments (23 posted)
Brief items
Most people do not realize that any program they run can examine the memory
of any other process run by them. Meaning the computer game you are
running on your desktop can watch everything going on in Firefox or a
programs like pwsafe or kinit or other program that attempts to hide
passwords..
--
Dan Walsh
So, if we receive a block less than 10 seconds after the previous one
and the previous block had a timestamp more than 24 hours in the past,
we don't bother to verify any of the ECDSA signatures in it and will
allow it to include transactions that spend random people's Bitcoins!
--
Aidan Thornton
Comments (16 posted)
The
sudo utility (version 1.8.0 and later) suffers from
a format string
vulnerability that can be easily shown to crash the program. There do
not appear to be any publicly-posted privilege escalation exploits at this
time, but that does not mean that such exploits do not exist. An update to
version 1.8.3p2 in the near future is probably a good idea; expect
advisories from the distributors in the near future.
Comments (31 posted)
Version 2.2.22 of the Apache web server is out. The main point of this
release appears to be the fixing of six different CVE numbers, so people
with their own Apache builds probably want to grab the update.
Full Story (comments: none)
On his blog, Youness Alaoui (aka KaKaRoTo)
describes
the Elliptic Curve Digital Signature Algorithm (ECDSA), which can be used
to cryptographically sign messages or other data. He covers the math
behind the algorithm in both a simplified and more detailed view. In
addition, he discusses where Sony went wrong with its ECDSA implementation
in early versions of the PlayStation 3 firmware: "
Once you know the
private key dA, you can now sign your files and the PS3 will recognize it
as an authentic file signed by Sony. This is why it’s important to make
sure that the random number used for generating the signature is actually
“cryptographically random”. This is also the reason why it is impossible
to have a custom firmware above 3.56, simply because since the 3.56
version, Sony have fixed their ECDSA algorithm implementation and used new
keys for which it is impossible to find the private key.. if there was a
way to find that key, then the security of every computer, website, system
may be compromised since a lot of systems are relying on ECDSA for their
security, and it is impossible to crack."
Comments (none posted)
New vulnerabilities
accountsservice: privilege escalation
| Package(s): | accountsservice |
CVE #(s): | CVE-2011-4406
|
| Created: | January 31, 2012 |
Updated: | February 1, 2012 |
| Description: |
From the Ubuntu advisory:
Hayawardh Vijayakumar discovered that AccountsService incorrectly handled
privileges when modifying the language settings on Ubuntu. A local attacker
could exploit this issue to modify arbitrary files, and possibly create a
denial of service or obtain increased privileges. |
| Alerts: |
|
Comments (none posted)
chromium: multiple vulnerabilities
| Package(s): | chromium |
CVE #(s): | CVE-2011-3924
CVE-2011-3925
CVE-2011-3926
CVE-2011-3927
CVE-2011-3928
|
| Created: | January 30, 2012 |
Updated: | February 1, 2012 |
| Description: |
From the CVE entries:
Use-after-free vulnerability in Google Chrome before 16.0.912.77 allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors related to DOM selections. (CVE-2011-3924)
Use-after-free vulnerability in the Safe Browsing feature in Google Chrome before 16.0.912.75 allows remote attackers to cause a denial of service (heap memory corruption) or possibly have unspecified other impact via vectors related to a navigation entry and an interstitial page. (CVE-2011-3925)
Heap-based buffer overflow in the tree builder in Google Chrome before 16.0.912.77 allows remote attackers to cause a denial of service or possibly have unspecified other impact via unknown vectors. (CVE-2011-3926)
Skia, as used in Google Chrome before 16.0.912.77, does not perform all required initialization of values, which allows remote attackers to cause a denial of service or possibly have unspecified other impact via unknown vectors. (CVE-2011-3927)
Use-after-free vulnerability in Google Chrome before 16.0.912.77 allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors related to DOM handling. (CVE-2011-3928)
|
| Alerts: |
|
Comments (none posted)
curl: data injection
| Package(s): | curl |
CVE #(s): | CVE-2012-0036
|
| Created: | January 30, 2012 |
Updated: | April 13, 2012 |
| Description: |
From the Red Hat bugzilla:
libcurl is vulnerable to a data injection attack for certain protocols
through control characters embedded or percent-encoded in URLs.
When parsing URLs, libcurl's parser is very laxed and liberal and only
parses as little as possible and lets as much as possible through as long as it can figure out what to do.
In the specific process when libcurl extracts the file path part from a
given URL, it didn't always verify the data or escape control characters
properly before it passed the file path on to the protocol-specific code
that then would use it for its protocol business.
This passing through of control characters could be exploited by someone who would be able to pass in a handicrafted URL to libcurl. Lots of libcurl using applications let users enter URLs in one form or another and not all of these check the input carefully to prevent malicious ones.
A malicious user might pass in %0d%0a to get treated as CR LF by libcurl, and by using this fact a user can trick for example a POP3 client to delete a message instead of getting it or trick an SMTP server to send an unintended message.
This vulnerability can be used to fool libcurl with the following protocols: IMAP, POP3 and SMTP.
This flaw only affects curl versions 7.20.0 up to and including 7.23.1 It is corrected in 7.24.0 |
| Alerts: |
|
Comments (none posted)
ktsuss: privilege escalation
| Package(s): | ktsuss |
CVE #(s): | CVE-2011-2921
CVE-2011-2922
|
| Created: | January 27, 2012 |
Updated: | February 1, 2012 |
| Description: |
From the Gentoo advisory:
Two vulnerabilities have been found in ktuss:
- Under specific circumstances, ktsuss skips authentication and fails
to change the effective UID back to the real UID (CVE-2011-2921).
- The GTK interface spawned by the ktsuss binary is run as root
(CVE-2011-2922).
A local attacker could gain escalated privileges and use the
"GTK_MODULES" environment variable to possibly execute arbitrary code
with root privileges. |
| Alerts: |
|
Comments (none posted)
Mozilla products: multiple vulnerabilities
| Package(s): | thunderbird firefox seamonkey |
CVE #(s): | CVE-2011-3659
CVE-2011-3670
CVE-2012-0442
CVE-2012-0449
CVE-2012-0444
|
| Created: | February 1, 2012 |
Updated: | July 23, 2012 |
| Description: |
The Mozilla product suite (including Firefox, Thunderbird, and Seamonkey) suffers from a number of vulnerabilities, most of which are exploitable for arbitrary code execution. |
| Alerts: |
|
Comments (none posted)
openttd: denial of service
| Package(s): | openttd |
CVE #(s): | CVE-2012-0049
|
| Created: | January 30, 2012 |
Updated: | August 7, 2012 |
| Description: |
From the OpenTTD advisory:
Using a slow read type attack it is possible to prevent anyone from joining a server with virtually no resources. Once downloading the map no other downloads of the map can start, so downloading really slowly will prevent others from joining. This can be further aggravated by the pause-on-join setting in which case the game is paused and the players cannot continue the game during such an attack. This attack requires that the user is not banned and passes the authorization to the server, although for many servers there is no server password and thus authorization is easy. |
| Alerts: |
|
Comments (none posted)
php5: arbitrary file writes
| Package(s): | php5 |
CVE #(s): | CVE-2012-0057
|
| Created: | January 31, 2012 |
Updated: | April 13, 2012 |
| Description: |
From the Debian advisory:
When applying a crafted XSLT transform, an attacker could write files
to arbitrary places in the filesystem. |
| Alerts: |
|
Comments (none posted)
rubygem-actionpack: cross-site scripting
| Package(s): | rubygem-actionpack |
CVE #(s): | CVE-2011-4319
|
| Created: | January 26, 2012 |
Updated: | March 19, 2012 |
| Description: |
From the Red Hat bugzilla entry:
A cross-site scripting (XSS) flaw was found in the way the 'translate' helper
method of the Ruby on Rails performed HTML escaping of interpolated user input,
when interpolation in combination with HTML-safe translations were used. A
remote attacker could use this flaw to execute arbitrary HTML or web script by
providing a specially-crafted input to Ruby on Rails application, using the
ActionPack module and its 'translate' helper method without explicit
(application specific) sanitization of user provided input. |
| Alerts: |
|
Comments (none posted)
smokeping: cross-site scripting
| Package(s): | smokeping |
CVE #(s): | CVE-2012-0790
|
| Created: | February 1, 2012 |
Updated: | March 21, 2013 |
| Description: |
The smokeping CGI script does not properly sanitize input passed via the displaymode parameter, thus enabling cross-site scripting attacks. |
| Alerts: |
|
Comments (none posted)
software-properties: man-in-the-middle attack
| Package(s): | software-properties |
CVE #(s): | CVE-2011-4407
|
| Created: | January 31, 2012 |
Updated: | October 2, 2012 |
| Description: |
From the Ubuntu advisory:
David Black discovered that Software Properties incorrectly validated
server certificates when performing secure connections to download PPA GPG
key fingerprints. If a remote attacker were able to perform a
man-in-the-middle attack, this flaw could be exploited to install altered
package repository GPG keys. |
| Alerts: |
|
Comments (none posted)
sudo: privilege escalation
| Package(s): | sudo |
CVE #(s): | CVE-2012-0809
|
| Created: | February 1, 2012 |
Updated: | February 1, 2012 |
| Description: |
A format string vulnerability in sudo (versions 1.8.0 to 1.8.3p1) enables a local attacker to obtain root privileges; see this advisory for details. |
| Alerts: |
|
Comments (none posted)
usbmuxd: code execution
| Package(s): | usbmuxd |
CVE #(s): | CVE-2012-0065
|
| Created: | February 1, 2012 |
Updated: | April 11, 2013 |
| Description: |
It turns out that usbmuxd does not perform proper bounds checking when processing the SerialNumber field provided by USB devices. A local attacker with a suitably modified USB device could exploit this failure to run arbitrary code as the "usbmux" user. |
| Alerts: |
|
Comments (none posted)
wireshark: multiple vulnerabilities
| Package(s): | wireshark |
CVE #(s): | CVE-2012-0066
CVE-2012-0067
CVE-2012-0068
|
| Created: | January 27, 2012 |
Updated: | February 1, 2012 |
| Description: |
From the Debian advisory:
Laurent Butti discovered a buffer underflow in the LANalyzer dissector
of the Wireshark network traffic analyzer, which could lead to the
execution of arbitrary code (CVE-2012-0068)
This update also addresses several bugs, which can lead to crashes of
Wireshark. These are not treated as security issues, but are fixed
nonetheless if security updates are scheduled: CVE-2011-3483,
CVE-2012-0041, CVE-2012-0042, CVE-2012-0066 and CVE-2012-0067. |
| Alerts: |
|
Comments (none posted)
Page editor: Jake Edge
Next page: Kernel development>>
