|
|
Subscribe / Log in / New account

Security

Format string vulnerabilities

By Jake Edge
February 1, 2012

A recent sudo advisory described a "format string vulnerability" that could be used for privilege escalation. Since sudo runs as setuid-root, that means that it could potentially be used by a regular user—not just one listed in the /etc/sudoers file—to compromise the system. As with many security flaws, format string vulnerabilities are the result of improper handling of user-supplied input. Given this latest report, it's probably worth taking a look at how these kind of vulnerabilities come about.

For those who aren't C programmers, a little background may be in order. The standard C library function for printing things to stdout is printf()—other functions in the same family can be used to print to stderr, character buffers, or other files. That function takes a string as its first argument which can contain special formatting characters that describe the types of the rest of the arguments. For example: 

    printf("hello, world\n");
    printf("%s\n", "hello, world");
    printf("%s, %s\n", "hello", "world");
would all print the canonical string to stdout. The "%s" is the format specifier for a string, so the function expects the corresponding argument to be a pointer to a null-terminated array of characters.

Members of the printf() family use the "varargs" (variable arguments) facility of the C language to take an arbitrary number of arguments. When the formatting string is parsed, values are popped off the stack in the order they are listed. Those values are expected to be there by the function, but, given the existing ABI, the compiler does not (in fact cannot) enforce that they be placed there by caller. That's where the problem can occur.

In the easy case, compilers can and do warn when there is a mismatch between the format string and arguments. A call like: 

    printf("hello, %s\n");
will cause a warning if the warning level is set high enough (like -Wall for GCC). But those kinds of problems are relatively easily found. A trickier problem occurs with something like: 
    printf(str);
which is perfectly legal as long as str contains no formatting characters. If it does, however, the function will happily pop things off the stack that don't correspond to the arguments in that formatting string. For GCC, the "-Wformat -Wformat-nonliteral" flags can be used to detect this kind of thing. In the "best" case, having format specifiers in str will lead to a program crash, in the worst, it could end up executing code. If str comes from user-supplied input, an attacker may be able to arrange just the right formatting string to execute code of their choosing.

That may be bad enough for a program run as an unprivileged user (as the attacker's code might be the equivalent of "rm -rf $HOME"), but it is far worse if the program has root privileges as sudo does. According to Wikipedia, format string bugs were noted in 1990, but were not recognized as a security problem until a researcher auditing proftpd reported a way to exploit the bug. That exploit used the "%n" format, which stores the number of characters printed so far to an integer pointer it pops off the stack. By arranging just the right format string, the exploit would overwrite the current user ID.

In the sudo case, the program name (which is stored in argv[0] for C programs) was being printed as part of an error message. As the advisory from the finder describes, the program name was "printed" into a buffer (using a variant of sprintf()), and that buffer was then handed off to a vfprintf() as the format string. That meant that the user-controlled program name—which could certainly contain format specifiers—was used as the format string for the vfprintf(). The fix for sudo is to ensure that the program name is printed with a "%s" specifier in the final print statement, rather than building it into the earlier buffer.

How can the user control the program name, especially for a setuid binary like sudo? That's not very hard either: 

    $ ln -s /usr/bin/sudo %n

The sudo advisory notes that building sudo with -D_FORTIFY_SOURCE=2 will prevent these kinds of exploits, though the advisory from the finder notes an article in Phrack that may make it possible to bypass that protection.

The problem in sudo was introduced relatively recently, for version 1.8.0 released at the end of February 2011. It has now been fixed in 1.8.3p2 and affected distributions are starting to get updates out. These kinds of bugs are yet another lesson in the need for great care when handling user-controlled input.

Comments (23 posted)

Brief items

Security quotes of the week

Most people do not realize that any program they run can examine the memory of any other process run by them. Meaning the computer game you are running on your desktop can watch everything going on in Firefox or a programs like pwsafe or kinit or other program that attempts to hide passwords..
-- Dan Walsh

So, if we receive a block less than 10 seconds after the previous one and the previous block had a timestamp more than 24 hours in the past, we don't bother to verify any of the ECDSA signatures in it and will allow it to include transactions that spend random people's Bitcoins!
-- Aidan Thornton

Comments (16 posted)

Format string vulnerability in sudo

The sudo utility (version 1.8.0 and later) suffers from a format string vulnerability that can be easily shown to crash the program. There do not appear to be any publicly-posted privilege escalation exploits at this time, but that does not mean that such exploits do not exist. An update to version 1.8.3p2 in the near future is probably a good idea; expect advisories from the distributors in the near future.

Comments (31 posted)

Apache HTTP Server 2.2.22 released

Version 2.2.22 of the Apache web server is out. The main point of this release appears to be the fixing of six different CVE numbers, so people with their own Apache builds probably want to grab the update.

Full Story (comments: none)

KaKaRoTo: How the ECDSA algorithm works

On his blog, Youness Alaoui (aka KaKaRoTo) describes the Elliptic Curve Digital Signature Algorithm (ECDSA), which can be used to cryptographically sign messages or other data. He covers the math behind the algorithm in both a simplified and more detailed view. In addition, he discusses where Sony went wrong with its ECDSA implementation in early versions of the PlayStation 3 firmware: "Once you know the private key dA, you can now sign your files and the PS3 will recognize it as an authentic file signed by Sony. This is why it’s important to make sure that the random number used for generating the signature is actually “cryptographically random”. This is also the reason why it is impossible to have a custom firmware above 3.56, simply because since the 3.56 version, Sony have fixed their ECDSA algorithm implementation and used new keys for which it is impossible to find the private key.. if there was a way to find that key, then the security of every computer, website, system may be compromised since a lot of systems are relying on ECDSA for their security, and it is impossible to crack."

Comments (none posted)

New vulnerabilities

accountsservice: privilege escalation

Package(s):accountsservice CVE #(s):CVE-2011-4406
Created:January 31, 2012 Updated:February 1, 2012
Description: From the Ubuntu advisory:

Hayawardh Vijayakumar discovered that AccountsService incorrectly handled privileges when modifying the language settings on Ubuntu. A local attacker could exploit this issue to modify arbitrary files, and possibly create a denial of service or obtain increased privileges.

Alerts:
Ubuntu USN-1351-1 accountsservice 2012-01-31

Comments (none posted)

chromium: multiple vulnerabilities

Package(s):chromium CVE #(s):CVE-2011-3924 CVE-2011-3925 CVE-2011-3926 CVE-2011-3927 CVE-2011-3928
Created:January 30, 2012 Updated:February 1, 2012
Description: From the CVE entries:

Use-after-free vulnerability in Google Chrome before 16.0.912.77 allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors related to DOM selections. (CVE-2011-3924)

Use-after-free vulnerability in the Safe Browsing feature in Google Chrome before 16.0.912.75 allows remote attackers to cause a denial of service (heap memory corruption) or possibly have unspecified other impact via vectors related to a navigation entry and an interstitial page. (CVE-2011-3925)

Heap-based buffer overflow in the tree builder in Google Chrome before 16.0.912.77 allows remote attackers to cause a denial of service or possibly have unspecified other impact via unknown vectors. (CVE-2011-3926)

Skia, as used in Google Chrome before 16.0.912.77, does not perform all required initialization of values, which allows remote attackers to cause a denial of service or possibly have unspecified other impact via unknown vectors. (CVE-2011-3927)

Use-after-free vulnerability in Google Chrome before 16.0.912.77 allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors related to DOM handling. (CVE-2011-3928)

Alerts:
Gentoo 201201-17 chromium 2012-01-27

Comments (none posted)

curl: data injection

Package(s):curl CVE #(s):CVE-2012-0036
Created:January 30, 2012 Updated:April 13, 2012
Description: From the Red Hat bugzilla:

libcurl is vulnerable to a data injection attack for certain protocols through control characters embedded or percent-encoded in URLs.

When parsing URLs, libcurl's parser is very laxed and liberal and only parses as little as possible and lets as much as possible through as long as it can figure out what to do.

In the specific process when libcurl extracts the file path part from a given URL, it didn't always verify the data or escape control characters properly before it passed the file path on to the protocol-specific code that then would use it for its protocol business.

This passing through of control characters could be exploited by someone who would be able to pass in a handicrafted URL to libcurl. Lots of libcurl using applications let users enter URLs in one form or another and not all of these check the input carefully to prevent malicious ones.

A malicious user might pass in %0d%0a to get treated as CR LF by libcurl, and by using this fact a user can trick for example a POP3 client to delete a message instead of getting it or trick an SMTP server to send an unintended message.

This vulnerability can be used to fool libcurl with the following protocols: IMAP, POP3 and SMTP.

This flaw only affects curl versions 7.20.0 up to and including 7.23.1 It is corrected in 7.24.0

Alerts:
Mandriva MDVSA-2012:058 curl 2012-04-13
Gentoo 201203-02 curl 2012-03-05
Fedora FEDORA-2012-0888 curl 2012-02-11
openSUSE openSUSE-SU-2012:0229-1 curl 2012-02-09
Debian DSA-2398-1 curl 2012-01-30
Fedora FEDORA-2012-0894 curl 2012-01-28

Comments (none posted)

ktsuss: privilege escalation

Package(s):ktsuss CVE #(s):CVE-2011-2921 CVE-2011-2922
Created:January 27, 2012 Updated:February 1, 2012
Description: From the Gentoo advisory:

Two vulnerabilities have been found in ktuss:

  • Under specific circumstances, ktsuss skips authentication and fails to change the effective UID back to the real UID (CVE-2011-2921).
  • The GTK interface spawned by the ktsuss binary is run as root (CVE-2011-2922).

A local attacker could gain escalated privileges and use the "GTK_MODULES" environment variable to possibly execute arbitrary code with root privileges.

Alerts:
Gentoo 201201-15 ktsuss 2012-01-27

Comments (none posted)

Mozilla products: multiple vulnerabilities

Package(s):thunderbird firefox seamonkey CVE #(s):CVE-2011-3659 CVE-2011-3670 CVE-2012-0442 CVE-2012-0449 CVE-2012-0444
Created:February 1, 2012 Updated:July 23, 2012
Description: The Mozilla product suite (including Firefox, Thunderbird, and Seamonkey) suffers from a number of vulnerabilities, most of which are exploitable for arbitrary code execution.
Alerts:
openSUSE openSUSE-SU-2014:1100-1 Firefox 2014-09-09
Gentoo 201301-01 firefox 2013-01-07
Mageia MGASA-2012-0176 iceape 2012-07-21
SUSE SUSE-SU-2012:0326-1 libvorbis 2012-03-06
Ubuntu USN-1369-1 thunderbird 2012-02-17
Scientific Linux SL-libv-20120215 libvorbis 2012-02-15
CentOS CESA-2012:0136 libvorbis 2012-02-15
CentOS CESA-2012:0136 libvorbis 2012-02-15
CentOS CESA-2012:0136 libvorbis 2012-02-15
Red Hat RHSA-2012:0136-01 libvorbis 2012-02-15
SUSE SUSE-SU-2012:0221-1 Mozilla Firefox 2012-02-09
SUSE SUSE-SU-2012:0198-1 Mozilla XULrunner 2012-02-09
openSUSE openSUSE-SU-2012:0234-1 MozillaFirefox 2012-02-09
Debian DSA-2406-1 icedove 2012-02-09
Ubuntu USN-1353-1 xulrunner-1.9.2 2012-02-08
Ubuntu USN-1350-1 thunderbird 2012-02-08
Ubuntu USN-1355-3 ubufox, webfav 2012-02-03
Ubuntu USN-1355-2 mozvoikko 2012-02-03
Ubuntu USN-1355-1 firefox 2012-02-03
Mandriva MDVSA-2012:013 mozilla 2012-02-03
Debian DSA-2402-1 iceape 2012-02-02
Debian DSA-2400-1 iceweasel 2012-02-02
Scientific Linux SL-seam-20120201 seamonkey 2012-02-01
Scientific Linux SL-fire-20120201 firefox 2012-02-01
Scientific Linux SL-thun-20120201 thunderbird 2012-02-01
Scientific Linux SL-thun-20120201 thunderbird 2012-02-01
Oracle ELSA-2012-0080 thunderbird 2012-02-01
Oracle ELSA-2012-0085 thunderbird 2012-02-01
Oracle ELSA-2012-0084 seamonkey 2012-02-01
Oracle ELSA-2012-0079 firefox 2012-02-01
Oracle ELSA-2012-0079 firefox 2012-02-01
Oracle ELSA-2012-0079 firefox 2012-02-01
Fedora FEDORA-2012-1140 libvpx 2012-02-02
Fedora FEDORA-2012-1140 gstreamer-plugins-bad-free 2012-02-02
Fedora FEDORA-2012-1140 thunderbird-lightning 2012-02-02
Fedora FEDORA-2012-1140 thunderbird 2012-02-02
Fedora FEDORA-2012-1140 xulrunner 2012-02-02
Fedora FEDORA-2012-1140 firefox 2012-02-02
Red Hat RHSA-2012:0084-01 seamonkey 2012-02-01
Red Hat RHSA-2012:0079-01 firefox 2012-02-01
Red Hat RHSA-2012:0085-01 thunderbird 2012-02-01
CentOS CESA-2012:0084 seamonkey 2012-02-01
CentOS CESA-2012:0079 firefox 2012-02-01
CentOS CESA-2012:0079 firefox 2012-02-01
CentOS CESA-2012:0079 firefox 2012-02-01
CentOS CESA-2012:0080 thunderbird 2012-02-01
CentOS CESA-2012:0085 thunderbird 2012-02-01
CentOS CESA-2012:0085 thunderbird 2012-02-01
Red Hat RHSA-2012:0080-01 thunderbird 2012-02-01

Comments (none posted)

openttd: denial of service

Package(s):openttd CVE #(s):CVE-2012-0049
Created:January 30, 2012 Updated:August 7, 2012
Description: From the OpenTTD advisory:

Using a slow read type attack it is possible to prevent anyone from joining a server with virtually no resources. Once downloading the map no other downloads of the map can start, so downloading really slowly will prevent others from joining. This can be further aggravated by the pause-on-join setting in which case the game is paused and the players cannot continue the game during such an attack. This attack requires that the user is not banned and passes the authorization to the server, although for many servers there is no server password and thus authorization is easy.

Alerts:
Debian DSA-2524-1 openttd 2012-08-06
Fedora FEDORA-2012-0623 openttd 2012-01-28
Fedora FEDORA-2012-0647 openttd 2012-01-28

Comments (none posted)

php5: arbitrary file writes

Package(s):php5 CVE #(s):CVE-2012-0057
Created:January 31, 2012 Updated:April 13, 2012
Description: From the Debian advisory:

When applying a crafted XSLT transform, an attacker could write files to arbitrary places in the filesystem.

Alerts:
SUSE SUSE-SU-2013:1351-1 PHP5 2013-08-16
Gentoo 201209-03 php 2012-09-23
CentOS CESA-2012:1046 php 2012-07-10
Scientific Linux SL-php-20120709 php 2012-07-09
Scientific Linux SL-php5-20120705 php53 2012-07-05
Scientific Linux SL-php-20120705 php 2012-07-05
Oracle ELSA-2012-1046 php 2012-06-30
Oracle ELSA-2012-1047 php53 2012-06-28
Oracle ELSA-2012-1045 php 2012-06-28
CentOS CESA-2012:1047 php53 2012-06-27
CentOS CESA-2012:1045 php 2012-06-27
Red Hat RHSA-2012:1047-01 php53 2012-06-27
Red Hat RHSA-2012:1046-01 php 2012-06-27
Red Hat RHSA-2012:1045-01 php 2012-06-27
SUSE SUSE-SU-2012:0496-1 PHP5 2012-04-12
SUSE SUSE-SU-2012:0472-1 PHP5 2012-04-06
openSUSE openSUSE-SU-2012:0426-1 php5 2012-03-29
SUSE SUSE-SU-2012:0411-1 PHP5 2012-03-24
Ubuntu USN-1358-1 php5 2012-02-09
Debian DSA-2399-2 php5 2012-01-31
Debian DSA-2399-1 php5 2012-01-31

Comments (none posted)

rubygem-actionpack: cross-site scripting

Package(s):rubygem-actionpack CVE #(s):CVE-2011-4319
Created:January 26, 2012 Updated:March 19, 2012
Description:

From the Red Hat bugzilla entry:

A cross-site scripting (XSS) flaw was found in the way the 'translate' helper method of the Ruby on Rails performed HTML escaping of interpolated user input, when interpolation in combination with HTML-safe translations were used. A remote attacker could use this flaw to execute arbitrary HTML or web script by providing a specially-crafted input to Ruby on Rails application, using the ActionPack module and its 'translate' helper method without explicit (application specific) sanitization of user provided input.

Alerts:
Fedora FEDORA-2012-0643 rubygem-actionpack 2012-01-25
Fedora FEDORA-2012-0626 rubygem-actionpack 2012-01-25

Comments (none posted)

smokeping: cross-site scripting

Package(s):smokeping CVE #(s):CVE-2012-0790
Created:February 1, 2012 Updated:March 21, 2013
Description: The smokeping CGI script does not properly sanitize input passed via the displaymode parameter, thus enabling cross-site scripting attacks.
Alerts:
Debian DSA-2651-1 smokeping 2013-03-20
Fedora FEDORA-2012-0801 smokeping 2012-01-31
Fedora FEDORA-2012-0813 smokeping 2012-01-31

Comments (none posted)

software-properties: man-in-the-middle attack

Package(s):software-properties CVE #(s):CVE-2011-4407
Created:January 31, 2012 Updated:October 2, 2012
Description: From the Ubuntu advisory:

David Black discovered that Software Properties incorrectly validated server certificates when performing secure connections to download PPA GPG key fingerprints. If a remote attacker were able to perform a man-in-the-middle attack, this flaw could be exploited to install altered package repository GPG keys.

Alerts:
Ubuntu USN-1352-1 software-properties 2012-01-31

Comments (none posted)

sudo: privilege escalation

Package(s):sudo CVE #(s):CVE-2012-0809
Created:February 1, 2012 Updated:February 1, 2012
Description: A format string vulnerability in sudo (versions 1.8.0 to 1.8.3p1) enables a local attacker to obtain root privileges; see this advisory for details.
Alerts:
Gentoo 201203-06 sudo 2012-03-05
Fedora FEDORA-2012-1028 sudo 2012-01-31

Comments (none posted)

usbmuxd: code execution

Package(s):usbmuxd CVE #(s):CVE-2012-0065
Created:February 1, 2012 Updated:April 11, 2013
Description: It turns out that usbmuxd does not perform proper bounds checking when processing the SerialNumber field provided by USB devices. A local attacker with a suitably modified USB device could exploit this failure to run arbitrary code as the "usbmux" user.
Alerts:
Mandriva MDVSA-2013:133 usbmuxd 2013-04-10
Mageia MGASA-2012-0228 usbmuxd 2012-08-18
Mandriva MDVSA-2012:133 usbmuxd 2012-08-16
openSUSE openSUSE-SU-2012:0345-1 usbmuxd 2012-03-09
Gentoo 201203-11 usbmuxd 2012-03-05
Fedora FEDORA-2012-1213 usbmuxd 2012-02-17
Fedora FEDORA-2012-1192 usbmuxd 2012-02-17
Ubuntu USN-1354-1 usbmuxd 2012-02-01

Comments (none posted)

wireshark: multiple vulnerabilities

Package(s):wireshark CVE #(s):CVE-2012-0066 CVE-2012-0067 CVE-2012-0068
Created:January 27, 2012 Updated:February 1, 2012
Description: From the Debian advisory:

Laurent Butti discovered a buffer underflow in the LANalyzer dissector of the Wireshark network traffic analyzer, which could lead to the execution of arbitrary code (CVE-2012-0068)

This update also addresses several bugs, which can lead to crashes of Wireshark. These are not treated as security issues, but are fixed nonetheless if security updates are scheduled: CVE-2011-3483, CVE-2012-0041, CVE-2012-0042, CVE-2012-0066 and CVE-2012-0067.

Alerts:
Oracle ELSA-2013-1569 wireshark 2013-11-26
Gentoo GLSA 201308-05:02 wireshark 2013-08-30
Gentoo 201308-05 wireshark 2013-08-28
Oracle ELSA-2013-0125 wireshark 2013-01-12
Scientific Linux SL-wire-20130116 wireshark 2013-01-16
CentOS CESA-2012:0509 wireshark 2012-04-24
Oracle ELSA-2012-0509 wireshark 2012-04-23
Scientific Linux SL-wire-20120423 wireshark 2012-04-23
Red Hat RHSA-2012:0509-01 wireshark 2012-04-23
openSUSE openSUSE-SU-2012:0295-1 wireshark 2012-02-23
Debian DSA-2395-1 wireshark 2012-01-27

Comments (none posted)

Page editor: Jake Edge
Next page: Kernel development>>


Copyright © 2012, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds