up a level
post article
search
admin
main
|
| Security bug found in NSM |
 Posted by Sylvain GIL on Thursday October 26, @01:27PM
from the dept.
Alain Thivillon has found and fixed several security bugs in NSM. These bugs were caused by the now famous 'format string vulnerability' and were similar to the ones found in wu-ftpd, proftp, Linux and Solaris Libc, .... and many others Unixes programs.
A patch is available for version 3.3 at ftp://ftp.solsoft.org/pub/nsm/patches/.
You will find the original mail in the body of this article.
NSM suffers from the same kind of 'format string vulnerability' that wu-ftpd, proftp, Linux a Solaris Libc, .... and many others Unixes programs.
The problem is located in ulm logging, which calls syslog without "%s" escaping:
==============
case ULM_AUTH :
case ULM_SECURITY :
case ULM_USAGE
syslog ( LOG_NOTICE , ulm_string ) ;
break ;
==============
If a user or a server is insert arbirery strings in ulm_string (particulary '%n'), he can overwrite memory (heap, stack, ...) and maybe execute arbirary code.
For example, using telnet relay:
Net SecurityMaster firewall
TELNET proxy
login: titi%s%s%s%n%s%s%n
Connection closed by foreign host.
telnet proxy has core dumped in syslog(). I think some exploits can be found against any proxie, not just telnet.
Fix on current version has been committed in CVS, the (very simple) patch is given below.
I think that this bug should be announced on Web site and in nsm-users mailing-list : search and exploitation of this kind of bugs is very
common since June and it's better if WE warn users before being 'bugtraqed' :)))
I will search other potential format string bugs today.
Then Alain sent the following mail a few minutes later :
> telnet proxy has core dumped in syslog(). I think some exploits can be
> found against any proxie, not just telnet.
In nsm-httpd, problem is the same (by feeding a strange username passed to syslog, one is able to crash proxy and probaly execute code):
1066 [12:08] titi@yoko:~> telnet carbone 8081
Trying 192.70.106.99...
Connected to carbone.hsc.fr.
Escape character is '^]'.
GET http://www.yahoo.fr/ HTTP/1.0
Proxy-Authorization: Basic dGglcyVzJW4lbjp0aXRpCg==
Connection closed by foreign host.
('dGglcyVzJW4lbjp0aXRpCg' is Base64 encoding of 'th%s%s%n%n:titi')
Oct 26 12:11:28 carbone /kernel: pid 1279 (nsm-httpd), uid 65534: exited
on signal 11
> I will search other potential format string bugs today.
I have carefully checked all calls to printf family (printf, fprintf, vnsprintf, ...) (including the one invoqued indirectly by ulm_log_message or other routines using va_start), and found no other direct vulnerabilities. It will be a very good thing if someone else can duplicate my search and confirm this.
<
Solsoft.org downtime
|
Development progress report
>
|
|
