SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |    Help    |   

SecurityTracker
Archives


Your Ad Here
 
Click to Sign Up
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com
Sign Up!





Category:  Application (Security)  >  Audit Vendors:  Red Hat
Audit Stack Overflow in audit_log_user_command() Lets Remote Users Execute Arbitrary Code
SecurityTracker Alert ID:  1019824
SecurityTracker URL:  http://securitytracker.com/id?1019824
CVE Reference:  CVE-2008-1628   (Links to External Site)
Date:  Apr 10 2008
Impact:  Execution of arbitrary code via network, User access via network
Fix Available:  Yes   Vendor Confirmed:  Yes  
Version(s): prior to 1.7
Description:  A vulnerability was reported in Audit. A remote user can execute arbitrary code on the target system.

A remote user can send a specially crafted command argument to trigger a stack overflow and execute arbitrary code on the target system. The code will run with the privileges of the target service.

The vulnerability resides in the audit_log_user_command() function in 'lib/audit_logging.c'.

Joe Nall reported this vulnerability.
Impact:  A remote user can execute arbitrary code on the target system.
Solution:  The vendor has issued a fixed version (1.7), available at:

http://people.redhat.com/sgrubb/audit/
Vendor URL:  people.redhat.com/sgrubb/audit/ (Links to External Site)
Cause:  Boundary error
Underlying OS:  Linux (Any), UNIX (Any)
Reported By:  Steve Grubb <sgrubb@redhat.com>
Message History:   None.

 Source Message Contents
Date:  Sun, 30 Mar 2008 16:23:24 -0400
From:  Steve Grubb <sgrubb@redhat.com>
Subject:  audit 1.7 released

 
Hi,
 
I've just released a new version of the audit daemon. It can be downloaded 
from http://people.redhat.com/sgrubb/audit  It will also be in rawhide  
soon. The Changelog is:
 
- Improve input error handling in audispd
- Improve end of event detection in auparse library
- Improve handling of abstract namespaces
- Add test mode for prelude plugin
- Handle user space avcs in prelude plugin
- Audit event serial number now recorded in idmef alert
- Add --just-one option to ausearch
- Fix watched account login detection for some failed login attempts
- Couple fixups in audit logging functions (Miloslav Trmac)
- Add support for virtual keys
- Added new type for user space MAC policy load events
- auparse_find_field_next was not iterating correctly, fixed it
- Add idmef alerts for access or execution of watched file
- Fix buffer overflow in audit_log_user_command
- Add basic remote logging plugin - only sends & no flow control
- Update ausearch with interpret fixes from auparse
 
This release has a lot of changes. There are a lot of bugs fixed in this 
update. Besides pure bug fixing, this release adds a test mode for the 
audisp-prelude plugin. It can now take a file input to stdin and output to 
stdout what it would like to do.
 
The audisp-prelude plugin also has a big change in the configuration file. It 
now takes separate enablers and actions to decide if a certain detection 
should be run and what to do if something is found. Right now, the only 
action is to send an idmef event. But this allows for future actions that can 
protect the machine.
 
IDMEF events were added for watched files or execution of watched programs. 
This requires a specific key format to work.
 
Ausearch was given a new option, --just-one. This tells it to emit just one 
event during the search. This is handy if you are searching for a specific 
event by its serial number and time.
 
Virtual key support was added throughout the utilities and libraries. With it, 
admins can now express more than one key in an auditctl rule. The size limit 
was left at 32, but we'll bump it up when kernel 2.6.26 is starting to take 
patches.
 
A buffer overflow in audit_log_user_command was fixed. This was preventing 
sudo from running when it had a large number of arguments. For now, we are 
truncating the event's argument list. But I'll try to work something out 
around continuation records so that it can be fully pieced together.
 
Lastly, a remote logging plugin makes its debut. Right now it sends only and 
has no flow control. I made a quick and dirty program that runs off of xinetd 
that just appends records to a file to verify it working. Anyone that wants 
to use it will need to do nearly the same at this point. The next release 
will include a recieve capability with no flow control. And then in another 
release after that I'll add the flow control between sender and receiver.
 
Please let me know if you run across any problems with this release.
 
-Steve


Go to the Top of This SecurityTracker Archive Page



Home   |    View Topics   |    Search   |    Contact Us   |    Help

Copyright 2007, SecurityGlobal.net LLC