OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Benoît Roussel (benoit.rousselintexxia.com)
Date: Tue Apr 16 2002 - 06:53:22 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    ________________________________________________________________________
    SECURITY ADVISORY INTEXXIA(c)
    30 01 2002 ID #1052-300102
    ________________________________________________________________________
    TITLE : AOLServer DB Proxy Daemon Format String Vulnerability
    CREDITS : Guillaume Pelat found this vulnerability / INTEXXIA
    ________________________________________________________________________

    SYSTEM AFFECTED
    ===============

            AOLServer 3.4.2
            AOLServer 3.4.1
            AOLServer 3.4
            AOLServer 3.3.1
            AOLServer 3.2.1
            AOLServer 3.2
            AOLServer 3.1
            AOLServer 3.0

    ________________________________________________________________________

    DESCRIPTION
    ===========

            The Laboratory intexxia found a format string vulnerability in
    the AOL Server external database driver proxy daemon API that could lead
    to a privilege escalation.

    ________________________________________________________________________

    DETAILS
    =======

            AOL Server provides an API to develop external database driver
    proxy daemons. Those daemons are linked to a library (libnspd.a).

    The Laboratory intexxia found a format string and a buffer overflow
    vulnerability in the 'Ns_PdLog' function of the library. Successful
    exploitation of the bug could allow an attacker to execute code and get
    access on the system.

    As a result, all the External Driver Proxy Daemons using the 'Ns_PdLog'
    function with the 'Error' or 'Notice' parameter are potentially
    vulnerable.

    ________________________________________________________________________

    SOLUTION
    ========

            This vulnerability has been fixed in the current version in CVS
    branch nsd_v3_r3_p0 (post-AOLserver 3.4.2) and can be used for any
    affected version. The patch used was created by intexxia and can be
    found in attachment. More information can be found at the following
    URL :

    http://cvs.sourceforge.net/cgi-bin/viewcvs.cgi/aolserver/aolserver/nspd/log.c.diff?r1=1.4&r2=1.4.6.1

    ________________________________________________________________________

    VENDOR STATUS
    =============

            14-03-2002 : This bulletin was sent to the developpement team.
            19-03-2002 : The vendor confirmed the vulnerability and fixed it
                         in the CVS branch nsd_v3_r3_p0 (post-AOLserver
                         3.4.2).

    ________________________________________________________________________

    LEGALS
    ======

            AOL Server is a registered trademark.

            Intexxia provides this information as a public service and "as
    is". Intexxia will not be held accountable for any damage or distress
    caused by the proper or improper usage of these materials.

            (c) intexxia 2002. This document is property of intexxia. Feel
    free to use and distribute this material as long as credit is given to
    intexxia and the author.

    ________________________________________________________________________

    CONTACT
    =======

    CERT intexxia certintexxia.com
    INTEXXIA http://www.intexxia.com
    171, av. Georges Clemenceau Standard : +33 1 55 69 49 10
    92024 Nanterre Cedex - France Fax : +33 1 55 69 78 80

    -----BEGIN PGP SIGNATURE-----
    Version: PGPfreeware 7.0.3 for non-commercial use <http://www.pgp.com>

    iQA/AwUBPLwQr02N8BNyNDXLEQK7yQCfVh/7x6yBxWKEi5iwRDaHEHuilGUAoN+u
    14o6inQET/8E4GdnfqgS6Jtj
    =YKem
    -----END PGP SIGNATURE-----