SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Security)  >   Libsafe Vendors:   Avaya
Libsafe Libary Security Function Format String Protections Can Be Bypassed
SecurityTracker Alert ID:  1003861
SecurityTracker URL:  http://securitytracker.com/id/1003861
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Mar 20 2002
Impact:   Execution of arbitrary code via local system, Execution of arbitrary code via network, Host/resource access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): prior to 2.0-12
Description:   A vulnerability was reported in libsafe library security function. A user may be able to bypass the libsafe format string protection mechanisms.

It is reported that libsafe protections against format string exploits may be bypassed using flag characters that are implemented in glibc but are not implemented in libsafe.

The following flags are definied in SUSv2 but are not defined in C standard (quoting from printf(3) manpage):

' For decimal conversion (i, d, u, f, F, g, G) the
output is to be grouped with thousands' grouping
characters if the locale information indicates any.
Note that many versions of gcc cannot parse this
option and will issue a warning. SUSv2 does not
include %'F.

I For decimal integer conversion (i, d, u) the output
uses the locale's alternative output digits, if any
(for example, Arabic digits). However, it does not
include any locale definitions with such outdigits
defined. (glibc 2.2 only)

For example, this could be exploited as follows:

printf("%'n", &target);
printf("%In", &target);

It is also reported that the libsafe *printf function wrappers incorrectly parse argument indexing in format strings. The function wrappers apparently assume that the n-th conversion specification always uses the n-th argument and the wrappers do not count the real number of arguments used. As a result, arguments whose index numbers are above the total number of conversion specifications are not verified at all.

A demonstratoin exploit example is provided.

printf("%2$n", "unused argument", &target);

Total number of % format string used: 1 ("%2$n")
Number of argument used: 2

Impact:   A user may be able to craft an attack against a libsafe-protected application that will bypass the libsafe format string protection mechanisms.
Solution:   The vendor has released a fixed version (2.0-12), available at:

http://www.research.avayalabs.com/project/libsafe/

Vendor URL:  www.research.avayalabs.com/project/libsafe/ (Links to External Site)
Cause:   Input validation error
Underlying OS:  Linux (Any), UNIX (Any)

Message History:   This archive entry has one or more follow-up message(s) listed below.
(Mandrake Issues Fix) Libsafe Libary Security Function Format String Protections Can Be Bypassed
The vendor has released a fix for Mandrake Linux.



 Source Message Contents

Subject:  [VulnWatch] Bypassing libsafe format string protection


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


Name:		libsafe
Version:	up to 2.0-11
URL:		http://www.research.avayalabs.com/project/libsafe/
Date:		March 14, 2002

Issue:
======

Libsafe provides ineffective protection against format string exploit
attacks that may be trivially bypassed.


Description:
============

The libsafe library protects a process against the exploitation of buffer
overflow vulnerabilities in process stacks. Libsafe works with any
existing pre-compiled executable and can be used transparently, even on a
system-wide basis. The method intercepts all calls to library functions
that are known to be vulnerable. A substitute version of the corresponding
function implements the original functionality, but in a manner that
ensures that any buffer overflows are contained within the current stack
frame. Libsafe has been shown to detect several known attacks and can
potentially prevent yet unknown attacks.


Details:
========

1.

Libsafe protection against format string exploits may be easily bypassed
using flag characters that are implemented in glibc but are not
implemented in libsafe. 

These flags definied in SUSv2 are not defined in C standard (quoting from
printf(3) manpage):

       '      For decimal conversion (i, d, u, f, F,  g,  G)  the
              output  is  to  be grouped with thousands' grouping
              characters if the locale information indicates any.
              Note  that  many  versions of gcc cannot parse this
              option and will issue a warning.   SUSv2  does  not
              include %'F.

       I      For decimal integer conversion (i, d, u) the output
              uses the locale's alternative output digits, if any
              (for example, Arabic digits).  However, it does not
              include any locale definitions with such  outdigits
              defined. (glibc 2.2 only)

Example exploit:

	printf("%'n", &target);
	printf("%In", &target);


2.

Libsafe *printf function wrappers incorrectly parse argument indexing in
format strings. They always assume that the n-th conversion specification
uses n-th argument and does not properly count real number of arguments
used. Thus, arguments, whose index numbers are above the total number of
conversion specifications, are not verified at all.

Example exploit:

	printf("%2$n", "unused argument", &target);

Total number of % format string used: 1 ("%2$n")
Number of argument used: 2 


Fix:
====

On March 18, 2002 new version of libsafe 2.0-12 has been released fixing
above security issue.

- -- 
Wojciech Purczynski
iSEC Security Research
http://isec.pl/


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE8mGXlC+8U3Z5wpu4RAtY3AKC4dxeHI46za4QYnK+QnD0NNJyIiACfQHTM
prjjyteIjdLe6MPWszO0cjI=
=h+8/
-----END PGP SIGNATURE-----




 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC