Mars NWE Format String Vulnerability
BID:2316
Info
Mars NWE Format String Vulnerability
| Bugtraq ID: | 2316 |
| Class: | Input Validation Error |
| CVE: | |
| Remote: | Yes |
| Local: | No |
| Published: | Jan 26 2001 12:00AM |
| Updated: | Jan 26 2001 12:00AM |
| Credit: | This vulnerability was announced to Bugtraq on January 26, 2001 by Przemyslaw Frasunek <[email protected]>. |
| Vulnerable: |
Martin Stover Mars NWE 0.99 pl19 |
| Not Vulnerable: | |
Discussion
Mars NWE Format String Vulnerability
Mars NWE is a freely available Netware emulator. It is maintained by original author Martin Stovers.
A problem with the software could allow a user to gain elevated privileges. Due to the handling of format strings by the software package, it is possible for a DOS or Windows workstation attached to the emulator to generate a custom crafted request of the system that will ultimately execute the code.
In the logging code of the program, improper handling of format strings make it possible to fill buffers, and overwrite variables on the stack including the return address. Due to this problem it is possible for a user with malicious intent to pass shell code to the program, which will result in execution of the code on the stack with the privileges inherited by the emulator program, normally run as root.
Mars NWE is a freely available Netware emulator. It is maintained by original author Martin Stovers.
A problem with the software could allow a user to gain elevated privileges. Due to the handling of format strings by the software package, it is possible for a DOS or Windows workstation attached to the emulator to generate a custom crafted request of the system that will ultimately execute the code.
In the logging code of the program, improper handling of format strings make it possible to fill buffers, and overwrite variables on the stack including the return address. Due to this problem it is possible for a user with malicious intent to pass shell code to the program, which will result in execution of the code on the stack with the privileges inherited by the emulator program, normally run as root.
Exploit / POC
Mars NWE Format String Vulnerability
Currently the SecurityFocus staff are not aware of any exploits for this issue. If you feel we are in error or are aware of more recent information, please mail us at: [email protected] <mailto:[email protected]>.
Currently the SecurityFocus staff are not aware of any exploits for this issue. If you feel we are in error or are aware of more recent information, please mail us at: [email protected] <mailto:[email protected]>.
Solution / Fix
Mars NWE Format String Vulnerability
Solution:
This patch has been provided by Przemyslaw Frasunek <[email protected]> :
--- tools.c.orig Fri Jan 26 22:46:34 2001
+++ tools.c Fri Jan 26 22:46:59 2001
@@ -189,7 +189,7 @@
sprintf(identstr, "%s %d %3d", get_debstr(0),
act_connection, act_ncpsequence);
openlog(identstr, LOG_CONS, LOG_DAEMON);
- syslog(LOG_DEBUG, buf);
+ syslog(LOG_DEBUG, "%s", buf);
closelog();
} else {
int l=strlen(buf);
@@ -249,7 +249,7 @@
}
sprintf(identstr, "%s %d %3d", get_debstr(0), act_connection,
act_ncpsequence);
openlog(identstr, LOG_CONS, LOG_DAEMON);
- syslog(prio, buf);
+ syslog(prio, "%s", buf);
closelog();
if (!mode) return;
lologfile=stderr;
Solution:
This patch has been provided by Przemyslaw Frasunek <[email protected]> :
--- tools.c.orig Fri Jan 26 22:46:34 2001
+++ tools.c Fri Jan 26 22:46:59 2001
@@ -189,7 +189,7 @@
sprintf(identstr, "%s %d %3d", get_debstr(0),
act_connection, act_ncpsequence);
openlog(identstr, LOG_CONS, LOG_DAEMON);
- syslog(LOG_DEBUG, buf);
+ syslog(LOG_DEBUG, "%s", buf);
closelog();
} else {
int l=strlen(buf);
@@ -249,7 +249,7 @@
}
sprintf(identstr, "%s %d %3d", get_debstr(0), act_connection,
act_ncpsequence);
openlog(identstr, LOG_CONS, LOG_DAEMON);
- syslog(prio, buf);
+ syslog(prio, "%s", buf);
closelog();
if (!mode) return;
lologfile=stderr;
References
Mars NWE Format String Vulnerability
References:
References: