what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Atstake Security Advisory 03-08-07.2

Atstake Security Advisory 03-08-07.2
Posted Aug 10, 2003
Authored by David Goldsmith, Atstake | Site atstake.com

Atstake Security Advisory A080703-2 - tcpflow, the network monitoring tool that records TCP sessions in an easy to use and view manner, contains a format string vulnerability that is typically unexploitable.

tags | advisory, tcp
SHA-256 | b4f0c4f5a717ad038f3eb39e9c687e11d5766b61d2e3b9b83c77992f43bb0bcf

Atstake Security Advisory 03-08-07.2

Change Mirror Download
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


@stake, Inc.
www.atstake.com

Security Advisory

Advisory Name: tcpflow 0.2.0 Format String Vulnerability
Release Date: 08/07/2003
Application: tcpflow
Platform: UNIX
Severity: High or None (See Below)
Author: Dave G. <daveg@atstake.com>
Vendor Status: Vendor has fixed version
CVE Candidate: CAN-2003-0671
Reference: www.atstake.com/research/advisories/2003/a080703-2.txt


Overview:

tcpflow is a network monitoring tool that records TCP sessions in an
easy to use and view manner. This tool contains a format string
vulnerability that is typically unexploitable. However, there has
been at least a couple of network management tools (IPNetMonitorX and
IPNetSentryX) that allowed for this vulnerability to be successfully
exploited.

- - -IMPORTANT NOTE-

This advisory is being released to inform other developers that may
rely on this tool, and to serve as an addendum to the @stake advisory
entitled: "Sustworks Unauthorized Network Monitoring and tcpflow
Format String Attack."


Details:

tcpflow contains an exploitable format string vulnerability during
the opening of a device via libpcap. This code snippet is from the
current version of tcpflow:

- - From tcpflow:main.c
- - -------------------
/* make sure we can open the device */
if ((pd = pcap_open_live(device, SNAPLEN, !no_promisc, 1000,
error)) == NULL)
die(error);

/* drop root privileges - we don't need them any more */
setuid(getuid());

As we can see, if the call to pcap_open_live() fails, the error
message will be passed to an error handling and cleanup function
called die(). This happens just before privileges are dropped by the
application. Looking at the code snippets below, we can see that
this error message will get passed as the format string to the
vfprintf() call inside of print_debug_message(). Since the device
name is included as part of the libpcap error, and device is
specified by the user, an attacker can input format specifiers into
vfprintf().

- - From tcpflow:util.c
- - ------------------- void die(char *fmt, ...)
{
va_list ap;

va_start(ap, fmt);
print_debug_message(fmt, ap);
exit(1);
}

/*
* Print a debugging message, given a va_list
*/
void print_debug_message(char *fmt, va_list ap)
{
/* print debug prefix */
fprintf(stderr, "%s: ", debug_prefix);

/* print the var-arg buffer passed to us */
vfprintf(stderr, fmt, ap);

/* add newline */
fprintf(stderr, "\n");
(void) fflush(stderr);
}

To test if your version of tcpflow is vulnerable, simply execute
tcpflow as root with the command line argument of -i %x%x%x%x%x%x.
If the tcpflow error message contains a large hexadecimal string,
your version is vulnerable.

For example:

bash-2.05a$ sudo bash
bash-2.05a# tcpflow -i %x%x%x%x%x%x
tcpflow[1195]: BIOCSETIF: 1a45017646365206e1a010365c: Device not
configured


Vendor Response:

There is an updated version of tcpflow available from
https://www.circlemud.org/~jelson/software/tcpflow.


Recommendation:

Upgrade tcpflow and ensure that it is not setuid root.


Common Vulnerabilities and Exposures (CVE) Information:

The Common Vulnerabilities and Exposures (CVE) project has assigned
the following names to these issues. These are candidates for
inclusion in the CVE list (https://cve.mitre.org), which standardizes
names for security problems.

CAN-2003-0671 tcpflow format string vulnerability through
RunTCPFlow

@stake Vulnerability Reporting Policy:
https://www.atstake.com/research/policy/

@stake Advisory Archive:
https://www.atstake.com/research/advisories/

PGP Key:
https://www.atstake.com/research/pgp_key.asc

@stake is currently seeking application security experts to fill
several consulting positions. Applicants should have strong
application development skills and be able to perform application
security design reviews, code reviews, and application penetration
testing. Please send resumes to jobs@atstake.com.

Copyright 2003 @stake, Inc. All rights reserved.

-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0

iQA/AwUBPzK7SEe9kNIfAm4yEQLIQgCg2FsuanlbSV/45hkgxBOE8GvKOlsAoKQt
TgybHf+i2Zo041zjMRMEOZCx
=B4H2
-----END PGP SIGNATURE-----


Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    20 Files
  • 13
    Nov 13th
    63 Files
  • 14
    Nov 14th
    18 Files
  • 15
    Nov 15th
    8 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    0 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close