logo Home

Untitled Document

Home > Archives Advisories > Articles


Untitled Document

Untitled Document

Options Parsing Tool library buffer overflows
Date: 2003-04-25

Author : KF <dotslash@snosoft.com>

Secure Network Operations, Inc. http://www.secnetops.com
Strategic Reconnaissance Team research@secnetops.com
Team Lead Contact kf@secnetops.com


Our Mission:
************************************************************************
Secure Network Operations offers expertise in Networking, Intrusion
Detection Systems (IDS), Software Security Validation, and
Corporate/Private Network Security. Our mission is to facilitate a
secure and reliable Internet and inter-enterprise communications
infrastructure through the products and services we offer.


Quick Summary:
************************************************************************
Advisory Number : SRT2003-04-24-1532.txt
Product : Options Parsing Tool shared library
Version : <= opt-3.18
Vendor : http://nis-www.lanl.gov/~jt/
Class : local
Criticality : Low
Operating System(s) : Linux (other unix based?)


High Level Explanation
************************************************************************
High Level Description : Error messages can cause buffer overflow
What to do : recompile and link against newest libopt.a

Technical Details
************************************************************************
Proof Of Concept Status : No PoC needed for this issue.
Low Level Description :

The Options Parsing Tool shared library is a subroutine library which
facilitates the convenient input of parameters to a C or C++ program.
The package attempts to provide a direct and relatively full-featured
input interface to the end user of the program, and at the same time
impose a minimal amount of work on the programmer to "attach" the package
to his or her software.

I am not aware of any suid programs linking against this library but
at the very least Debian provides it as a .deb package. Obvious issues
are raised if a suid application makes use of the OPT libraries.
http://packages.debian.org/stable/devel/opt.html

The error messages in opt pass through one of several functions in order
to print the error to the screen. Either opt_warn_1(), opt_warn_2(),
opt_warn_3(), opt_fatal_1(), opt_fatal_2(), or opt_fatal_3() will be
used when an error occurs. Several similar functions could cause issues
with buffer overflows.

This simple test will show the problems associated with using <= opt-3.18

[dotslash@vegeta test]$ cat > test.c
main(int *argc, char **argv)
{
/* use lubc atoi() */
int x = atoi(argv[1]);
printf("atoi(): %i\n", x);

/* use OPT opt_atoi() */
int y = opt_atoi(argv[2]);
printf("opt_atoi(): %i\n", y);
}

[dotslash@vegeta test]$ cc -o test test.c ../src/libopt.a
[dotslash@vegeta test]$ ./test 1 2
atoi(): 1
opt_atoi(): 2

[dotslash@vegeta test]$ ./test `perl -e 'print "A" x 986'` B
atoi(): 0
OPT Warning: String [B] is not a valid integer, will use [0]
opt_atoi(): 0

[dotslash@vegeta test]$ ./test A `perl -e 'print "A" x 986'`
atoi(): 0
OPT Warning: String
[AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA...
is not a valid integer, will use [0]
opt_atoi(): 0
Segmentation fault

strace tells us that we are able to overwrite the eip.
[41414141] --- SIGSEGV (Segmentation fault) @ 0 (0) ---

This occurs because of the following code is triggered when reading
input from the user.

long
opt_atoi(char *s)
{
int valid;
long x;
x = (long)atof(s); /* Call atof() whether or not string is valid,
* because some strings, eg '15x' can still be
* interpreted as numeric. But give a warning
* unless the string really is valid
*/

valid = opt_isvalidnumber(s);
if (!valid || (valid & OPT_NUM_FLOAT)) {
opt_warn_2("String [%s] is not a valid integer, will use [%ld]",s,x);
}
return x;
}

This particular segfault was caused by the opt_warn_2 definition in opt_p.h.
You can see that the data passed on by the user is used in a sprintf() into
a static sized buffer.

#define OPT_ERRMAXSTRLEN 1024 /* shouldn't be fixed length, but it is! */
...
#define opt_warn_2(fmt,var1,var2) do { \
char gstr[OPT_ERRMAXSTRLEN]; sprintf(gstr,fmt,var1,var2); \
opt_warning(gstr); } while(0)

A diff with the new version shows the implementation of snprintf as a valid fix.

< char gstr[OPT_ERRMAXSTRLEN]; sprintf(gstr,fmt,var1,var2,var3); \
---
> char gstr[OPT_ERRMAXSTRLEN]; \
> opt_snprintf_3(gstr,OPT_ERRMAXSTRLEN,fmt,var1,var2,var3); \

A quick test compile against the new version of libopt.a appears to take care
of the problem.

[dotslash@vegeta test]$ pwd
/home/dotslash/opt/opt-3.19/test
[dotslash@vegeta test]$ cc -o test test.c ../src/libopt.a

[dotslash@vegeta test]$ ltrace ./test A `perl -e 'print "A" x 1986'`
...
snprintf("String [AAAAAAAAAAAAAAAAAAAAAAAA"..., 1024, "String [%s] is not a valid integ"...

Patch or Workaround : Relink applications that use libopt.a against the
new version of opt at http://nis-www.lanl.gov/~jt/Software/opt/opt-3.19.tar.gz

Vendor Status : Author has responded and applied a fix to the problem.

Bugtraq URL : to be assigned

------------------------------------------------------------------------
This advisory was released by Secure Network Operations,Inc. as a matter
of notification to help administrators protect their networks against
the described vulnerability. Exploit source code is no longer released
in our advisories. Contact research@secnetops.com for information on how
to obtain exploit information.



 

arrowSearch Advisories

arrowNewsletter

Free weekly Newsletter.

Please enter your email address here:
arrowReport Vulnerability

If you've found a vulnerability please
click here to report it.
arrowPartners

newsnow

About Us | Contact Us | Advertise | email | Backend flag
Copyright © 2016-2017 Security Corporation - All Rights Reserved - Legal - Privacy Policy