OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Format strings: bug #2: LPRng
From: Chris Evans (chrisSCARY.BEASTS.ORG)
Date: Mon Sep 25 2000 - 18:57:43 CDT


Hi,

SUMMARY
-------

LPRng is almost certainly vulnerable to remote-root compromise on account
of a format string bug. The flaw is almost identical to the rpc.statd one
I found; namely a faulty syslog() wrapper. This is becoming a very common
flaw.

Details
-------

Here is a code excerpt from:

/LPRng-3.6.22/src/common/errormsg.c, use_syslog()

---
static void use_syslog(int kind, char *msg)
...
# ifdef HAVE_OPENLOG
        /* use the openlog facility */
        openlog(Name, LOG_PID | LOG_NOWAIT, SYSLOG_FACILITY );
        syslog(kind, msg);
        closelog();

# else (void) syslog(SYSLOG_FACILITY | kind, msg); # endif /* HAVE_OPENLOG */ ... ---

Here we see two classic format string bugs. Both syslog() calls are missing a "%s" format string argument.

But how exploitable is this? Does the daemon log any use supplied data? Let's do a test on the extremely recently released RedHat7.0, which has switched to LPRng.

[chrislocalhost chris]$ telnet localhost printer Trying 127.0.0.1... Connected to localhost.localdomain (127.0.0.1). Escape character is '^]'. Mary had a little lamb. Connection closed by foreign host.

...

grep lamb /var/log/messages Sep 24 07:38:36 localhost SERVER[1282]: Dispatch_input: bad request line 'Mary had a little lamb.^M'

...

Well, how obliging of (my particular version) of LPRng to log any input line I give it.

Just to confirm %'s cause trouble:

Client: [chrislocalhost chris]$ telnet localhost printer Trying 127.0.0.1... Connected to localhost.localdomain (127.0.0.1). Escape character is '^]'. %s%s%s%s%s%s%s%s%s%s

Server: Program received signal SIGSEGV, Segmentation fault. 0x400f7c66 in _IO_vfprintf (s=0x80c53a0, format=0xbffff190 "Dispatch_input: bad request line '%s%s%s%s%s%s%s%s%s%s^M'", ap=0xbfffed0c) at ../sysdeps/i386/i486/bits/string.h:529 (gdb) bt #0 0x400f7c66 in _IO_vfprintf (s=0x80c53a0, format=0xbffff190 "Dispatch_input: bad request line '%s%s%s%s%s%s%s%s%s%s^M'", ap=0xbfffed0c) at ../sysdeps/i386/i486/bits/string.h:529 #1 0x4017d60b in vsyslog (pri=6, fmt=0xbffff190 "Dispatch_input: bad request line '%s%s%s%s%s%s%s%s%s%s^M'", ap=0xbfffed08) at syslog.c:193 #2 0x4017d447 in syslog (pri=6, fmt=0xbffff190 "Dispatch_input: bad request line '%s%s%s%s%s%s%s%s%s%s^M'") at syslog.c:102 ...

The program has root privs at this time;

(gdb) print geteuid() $1 = 4 <-- initially encouraging (gdb) print getuid() $2 = 0 <-- depressing

FIX ---

- Add "%s" arguments to the syslog() calls - Firewall the printer port

Exploit -------

Not my scene. I'm sure some friendly black hat will come out with one soon, though. Perhaps remembering to credit me this time? ;-)

Cheers Chris