TIS Firewall Toolkit Format String Vulnerability
BID:1857
Info
TIS Firewall Toolkit Format String Vulnerability
| Bugtraq ID: | 1857 |
| Class: | Input Validation Error |
| CVE: | |
| Remote: | No |
| Local: | Yes |
| Published: | Oct 26 2000 12:00AM |
| Updated: | Oct 26 2000 12:00AM |
| Credit: | In the original posting to bugtraq by pre <[email protected]> on 26 Oct 2000, Pekka Savola is credited with discovering this vulnerability. |
| Vulnerable: |
TIS Internet Firewall Toolkit 2.1 |
| Not Vulnerable: | |
Discussion
TIS Firewall Toolkit Format String Vulnerability
A vulnerability exists in a component of TIS Firewall Toolkit, a set of utilities which assists in the implementation of network firewalls.
The x-gw (X-Windows Gateway) component of FWTK contains a format string bug which, depending on the method used to invoke x-gw, can permit an attacker to execute arbitrary code.
When x-gw is directed to connect to a given X Windows display, the name of the desired display is supplied by the user either as a command line parameter or as an environment variable.
If this input fails validity checks, an error message is displayed which includes the invalid user-supplied input. A format bug in the pmsg() function (x-gw/pmsg.c) used to display this message can permit maliciously-formed input to overwrite stack variables, such as the calling function's return address, with arbitrary values that can alter the program's flow of execution.
Note that if If x-gw is invoked with the telnet gateway component (tn-gw), certain checks on user input will eliminate this vulnerability. However, systems using other methods to start x-gw may be vulnerable, and should be carefully checked.
A vulnerability exists in a component of TIS Firewall Toolkit, a set of utilities which assists in the implementation of network firewalls.
The x-gw (X-Windows Gateway) component of FWTK contains a format string bug which, depending on the method used to invoke x-gw, can permit an attacker to execute arbitrary code.
When x-gw is directed to connect to a given X Windows display, the name of the desired display is supplied by the user either as a command line parameter or as an environment variable.
If this input fails validity checks, an error message is displayed which includes the invalid user-supplied input. A format bug in the pmsg() function (x-gw/pmsg.c) used to display this message can permit maliciously-formed input to overwrite stack variables, such as the calling function's return address, with arbitrary values that can alter the program's flow of execution.
Note that if If x-gw is invoked with the telnet gateway component (tn-gw), certain checks on user input will eliminate this vulnerability. However, systems using other methods to start x-gw may be vulnerable, and should be carefully checked.
Exploit / POC
TIS Firewall Toolkit Format String Vulnerability
(October 27, 2000)
An exploit for this vulnerability will reportedly be made available shortly.
(October 27, 2000)
An exploit for this vulnerability will reportedly be made available shortly.
Solution / Fix
TIS Firewall Toolkit Format String Vulnerability
Solution:
From: Rick Murphy <[email protected]>
"There's a short solution for this problem - Don't allow anyone other than administrator to log in to your firewall directly. Or, don't run x-gw setuid."
Excerpted from original bugtraq posting by pre <[email protected]>
----------------
Patch:
--- x-gw/pmsg.c.orig Mon Oct 23 13:21:26 2000
+++ x-gw/pmsg.c Mon Oct 23 13:22:36 2000
@@ -37,9 +37,9 @@
buf[sizeof(buf)-1] = '\0';
}
- if( uselog ) syslog( LLEV, buf );
+ if( uselog ) syslog( LLEV, "%s", buf );
else {
- fprintf( stderr, buf );
+ fprintf( stderr, "%s", buf );
fflush(stderr);
}
}
Solution:
From: Rick Murphy <[email protected]>
"There's a short solution for this problem - Don't allow anyone other than administrator to log in to your firewall directly. Or, don't run x-gw setuid."
Excerpted from original bugtraq posting by pre <[email protected]>
----------------
Patch:
--- x-gw/pmsg.c.orig Mon Oct 23 13:21:26 2000
+++ x-gw/pmsg.c Mon Oct 23 13:22:36 2000
@@ -37,9 +37,9 @@
buf[sizeof(buf)-1] = '\0';
}
- if( uselog ) syslog( LLEV, buf );
+ if( uselog ) syslog( LLEV, "%s", buf );
else {
- fprintf( stderr, buf );
+ fprintf( stderr, "%s", buf );
fflush(stderr);
}
}
References
TIS Firewall Toolkit Format String Vulnerability
References:
References:
- Firewall Toolkit Homepage (TIS)
- geekgang homepage (geekgang)