OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: FWTK x-gw Security Advisory [GSA2000-01]
From: pre (preGEEKGANG.CO.UK)
Date: Thu Oct 26 2000 - 06:00:03 CDT


              geekgang Security Advisory [gsa2000-01]

                        [www.geekgang.co.uk]
                       Copyright 2000 geekgang

ID: geekgang GSA2000-01 01 v1.0
Topic: FWTK x-gw format bug
Status: Release 26th October, 2000
Author: pre

Credit: Pekka Savola found the potential problem in the code

[Abstract]
The x-gw (X Windows gateway) component of the TIS Firewall Toolkit
(FWTK) contains a format bug vulnerability that may be exploitable
within some installations, allowing users to execute arbitrary code.

[Description]
The FWTK contains a set of proxy applications that are designed to aid a

computing professional in building a firewall system. It is not a
complete firewall product within itself. As such it is impossible to
ascertain all the different configurations in which the various parts of

the FWTK have been installed.

The x-gw component is designed to proxy connections bewteen X Windows
clients and servers. It would normally be invoked via the tn-gw (Telnet
gateway) component of the FWTK. Installations using this tn-gw
invocation method of the x-gw are not vulnerable to this problem due to
pre-processing of input data that is performed by the tn-gw.
Installations using any other method to invoke the x-gw should check
their vulnerability status.

The x-gw takes the X Windows display to connect to as a command line
parameter or environment variable. It performs some sanity checking on
this input and reports an error if the checks fail. The function that
outputs the error message has a format bug, and uses the supplied
display string as part of the output.

The function at fault is pmsg() in the source file x-gw/pmsg.c

[Solution]
Patch:

--- x-gw/pmsg.c.orig Mon Oct 23 13:21:26 2000
+++ x-gw/pmsg.c Mon Oct 23 13:22:36 2000
-37,9 +37,9
  buf[sizeof(buf)-1] = '\0';
    }

- if( uselog ) syslog( LLEV, buf );
+ if( uselog ) syslog( LLEV, "%s", buf );
    else {
- fprintf( stderr, buf );
+ fprintf( stderr, "%s", buf );
        fflush(stderr);
    }
 }

[Exploit]
An exploit for this vulnerability will be made available on the geekgang

website.

[Disclaimer]
THE INFORMATION CONTAINED IN THIS ADVISORY IS BELIEVED TO BE ACCURATE ,
BUT NO REPRESENTATION OR WARRANTY IS GIVEN, EXPRESS OR IMPLIED, AS TO
ITS ACCURACY OR COMPLETENESS. NEITHER THE AUTHOR NOR THE PUBLISHER
ACCEPTS ANY LIABILITY WHATSOEVER FOR ANY DIRECT, INDIRECT OR
CONSEQUENTIAL LOSS OR DAMAGE ARISING IN ANY WAY FROM ANY USE OF, OR
RELIANCE PLACED ON, THIS INFORMATION FOR ANY PURPOSE. THIS ADVISORY MAY
BE REDISTRIBUTED PROVIDED THAT NO FEE IS ASSIGNED AND THAT THE ADVISORY
IS NOT MODIFIED IN ANY WAY.