SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Web Server/CGI)  >   AOLserver Vendors:   America Online, Inc.
AOLserver Format String Flaw and Buffer Overflow in 'libnspd.a' API for External Database Driver Proxy Daemons May Let Remote Users Execute Arbitrary Code
SecurityTracker Alert ID:  1004080
SecurityTracker URL:  http://securitytracker.com/id/1004080
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Apr 17 2002
Impact:   Execution of arbitrary code via network, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 3.0 - 3.4.2
Description:   A format string and buffer overflow vulnerability was reported in AOLserver. A remote user could obtain elevated privileges on the server.

INTEXXIA reported a format string and buffer overflow vulnerability in an AOLserver external database driver proxy daemon. The flaw reportedly resides in the 'Ns_PdLog' function of the library 'libnspd.a'. A remote user could cause arbitrary code to be executed on the system.

According to the report, all External Driver Proxy Daemons using the 'Ns_PdLog' function with the 'Error' or 'Notice' parameters may be affected.

No exploit details were provided.

Impact:   A remote user could cause arbitrary code to be executed on the server.
Solution:   The vendor has issued a fix in in the current version in CVS branch nsd_v3_r3_p0 (post-AOLserver 3.4.2). More information on the patch is reportedly available at:

http://cvs.sourceforge.net/cgi-bin/viewcvs.cgi/aolserver/aolserver/nspd/log.c.diff?r1=1.4&r2=1.4.6.1

Vendor URL:  www.aolserver.com/ (Links to External Site)
Cause:   Boundary error, Input validation error
Underlying OS:  Linux (Any), UNIX (Any)

Message History:   None.


 Source Message Contents

Subject:  [CERT-intexxia] AOLServer DB Proxy Daemon Format String Vulnerability


------=_NextPart_000_0600_01C1E54E.12860F70
Content-Type: text/plain;
	charset="iso-8859-1"
Content-Transfer-Encoding: 7bit

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

________________________________________________________________________
SECURITY ADVISORY                                            INTEXXIA(c)
30 01 2002                                               ID #1052-300102
________________________________________________________________________
TITLE   : AOLServer DB Proxy Daemon Format String Vulnerability
CREDITS : Guillaume Pelat found this vulnerability / INTEXXIA
________________________________________________________________________


SYSTEM AFFECTED
===============

        AOLServer 3.4.2
        AOLServer 3.4.1
        AOLServer 3.4
        AOLServer 3.3.1
        AOLServer 3.2.1
        AOLServer 3.2
        AOLServer 3.1
        AOLServer 3.0


________________________________________________________________________


DESCRIPTION
===========

        The Laboratory  intexxia found  a format string vulnerability in
the AOL Server external database driver proxy daemon API that could lead
to a privilege escalation.


________________________________________________________________________


DETAILS
=======

        AOL Server provides  an API  to develop external database driver
proxy daemons. Those daemons are linked to a library (libnspd.a).

The Laboratory  intexxia found  a format  string and  a buffer  overflow
vulnerability in  the 'Ns_PdLog'  function of  the  library.  Successful
exploitation of the bug could allow an  attacker to execute code and get
access on the system.

As a result, all  the External Driver Proxy Daemons using the 'Ns_PdLog'
function  with  the  'Error'   or  'Notice'  parameter  are  potentially
vulnerable.


________________________________________________________________________


SOLUTION
========

        This vulnerability has been  fixed in the current version in CVS
branch  nsd_v3_r3_p0 (post-AOLserver  3.4.2) and  can  be  used  for any
affected version.  The patch  used was  created by  intexxia and  can be
found in  attachment. More  information can  be found  at the  following
URL :

http://cvs.sourceforge.net/cgi-bin/viewcvs.cgi/aolserver/aolserver/nspd/log.c.diff?r1=1.4&r2=1.4.6.1


________________________________________________________________________


VENDOR STATUS
=============

        14-03-2002 : This bulletin was sent to the developpement team.
        19-03-2002 : The vendor confirmed the vulnerability and fixed it
                     in  the  CVS  branch  nsd_v3_r3_p0  (post-AOLserver
                     3.4.2).


________________________________________________________________________


LEGALS
======

        AOL Server is a registered trademark.


        Intexxia provides this  information  as a public service and "as
is". Intexxia  will not be  held accountable for  any damage or distress
caused by the proper or improper usage of these materials.


        (c) intexxia 2002. This  document is property  of intexxia. Feel
free to use and distribute  this material as long as  credit is given to
intexxia and the author.


________________________________________________________________________


CONTACT
=======

CERT intexxia                                          cert@intexxia.com
INTEXXIA                                         http://www.intexxia.com
171, av. Georges Clemenceau                 Standard : +33 1 55 69 49 10
92024 Nanterre Cedex - France                    Fax : +33 1 55 69 78 80

-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 7.0.3 for non-commercial use <http://www.pgp.com>

iQA/AwUBPLwQr02N8BNyNDXLEQK7yQCfVh/7x6yBxWKEi5iwRDaHEHuilGUAoN+u
14o6inQET/8E4GdnfqgS6Jtj
=YKem
-----END PGP SIGNATURE-----

------=_NextPart_000_0600_01C1E54E.12860F70
Content-Type: application/octet-stream;
	name="SA1052-300102_aolserver-3.4.2-security-patched"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: attachment;
	filename="SA1052-300102_aolserver-3.4.2-security-patched"

diff -dru aolserver-3.4.2/nspd/log.c aolserver-3.4.2-patched/nspd/log.c
--- aolserver-3.4.2/nspd/log.c	Tue Aug 15 22:24:33 2000
+++ aolserver-3.4.2-patched/nspd/log.c	Wed Jan 30 09:03:11 2002
@@ -206,14 +206,13 @@
             char msgbuf[4096];
=20
             va_start(ap, format);
-            vsprintf(msgbuf, format, ap);
+            vsnprintf(msgbuf, sizeof (msgbuf), format, ap);
             va_end(ap);
-            syslog(priority, msgbuf);
+            syslog(priority, "%s", msgbuf);
         }
     }
 }
=20
-=0C
 /*
  =
*----------------------------------------------------------------------
  *

------=_NextPart_000_0600_01C1E54E.12860F70
Content-Type: application/octet-stream;
	name="SA1052-300102_aolserver-3.4.2-security-patched.sig"
Content-Transfer-Encoding: base64
Content-Disposition: attachment;
	filename="SA1052-300102_aolserver-3.4.2-security-patched.sig"

iQA/AwUAPLwQlU2N8BNyNDXLEQKAwQCeMgfkJ28REIOTcA3LZMQWcxRyImwAn3XZuVu1f7tUkXzJ
2xIzsyLoM97g

------=_NextPart_000_0600_01C1E54E.12860F70--


 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC