Advisories : Format string vulnerability in libutil pw

main menu

- feedback
- advertising
- privacy
- FightAIDS
- newsletter
- news

discussions

- read forum
- new topic
- search

meetings

- meetings list
- recent additions
- add your info

top 100 sites

- visit top sites
- sign up now
- members

webmasters

- add your url
- add domain
- search box
- link to us

projects

- our projects
- free email

m4d network

- security software
- secureroot
- m4d.com

Home : Advisories : Format string vulnerability in libutil pw_error(3) function

Title:	Format string vulnerability in libutil pw_error(3) function
Released by:	OpenBSD
Date:	3rd October 2000
Printable version:	Click here

----------------------------------------------------------------------------



                        OpenBSD Security Advisory



                             October 3, 2000



Format string vulnerability in libutil pw_error(3) function



----------------------------------------------------------------------------



SYNOPSIS



A format string vulnerability present in the pw_error() function of

OpenBSD 2.7's libutil library can yield localhost users root access through

the setuid /usr/bin/chpass utility. This particular vulnerability was

repaired three months ago on June 30th in OpenBSD-current during a complete

source tree audit for format string problems.



OpenBSD developers became aware of an exploit circulating for the chpass(1)

program on the evening of October 2, 2000.



----------------------------------------------------------------------------



AFFECTED SYSTEMS



This vulnerability affects OpenBSD versions through 2.7. FreeBSD 4.0 is

vulnerable, but patches have been backported, and FreeBSD versions 4.1 and

4.1.1 are safe. Bill Sommerfield committed a fix to NetBSD today shortly

after we notified him of the problem.



OpenBSD users running -current (2.8-beta) with a system dated July 1st

or thereafter are safe.



----------------------------------------------------------------------------



DETAILS



In recent months a myriad of "format string" vulnerabilities have been

discovered in a number of software packages. In response to this threat,

the OpenBSD team immediately began a complete source tree audit, identifying

and fixing dozens of these format bugs. While most of the issues were

harmless, a few such as the bug in xlock and one in the OpenBSD ftpd daemon

raised the red flag and patches were released to correct these problems.

Unfortunately, the severity of the format string bug that was fixed in

pw_error() was not fully realized at the time.



In addition to fixing the bugs, CAVEATS sections were added to all stdarg

function man pages (printf, syslog, setproctitle, err/warn) to warn

programmers that user-supplied strings should never be passed to these

routines without using the "%s" conversion specifier.



----------------------------------------------------------------------------



TECHNICAL DETAILS



To understand a format string attack, you need only understand how varargs

(see "man stdarg") functions work. For example, the printf() function

accepts a variable number of arguments depending on the supplied format.

Here is the function prototype:



int

printf(const char *format, ...);



The problem occurs when one of these functions is used thusly:



printf(user_supplied_string);



An attacker can put their own format specifiers in user_supplied_string.

The printf() function does not know where it's arguments stop on the stack.

If you put 100 `%s' format specifiers in the string, but give it no

arguments, the function will happily continue on down the stack blindly.



The problem is magnified by special conversion specifiers such as `%n'

which let you write to memory. Further attack details are beyond the scope

of this advisory. For more information see Guardent's white paper on

"Format String Attacks" by Tim Newsham at the following URL:



http://www.guardent.com/docs/FormatString.PDF



----------------------------------------------------------------------------



RESOLUTION



/bin/chmod u-s /usr/bin/chpass



Use this command to protect yourself until you are patched. (Note that the

vulnerability is actually in the libutil library, which chpass is linked to,

not the chpass program itself.)



Then, apply the fix below to your OpenBSD 2.7 source tree. The patch is also

available at http://www.openbsd.org/errata.html (025).



----------------------------------------------------------------------------



CREDITS



This vulnerability was originally extinguished on June 30th in a mass

format string repair commit by Todd C. Miller of the OpenBSD project. Other

developers who contributed to the audit include Theo de Raadt, Todd Fries,

and Aaron Campbell.



OpenBSD would also like to thank Kyle Hufford and Eric Jackson for their

assistance in creating this advisory.



----------------------------------------------------------------------------



OPENBSD 2.7 PATCH



Apply by doing:

cd /usr/src

patch -p0 < 025_pw_error.patch



And then rebuild and install libutil.

cd lib/libutil

make depend

make

make install



Index: lib/libutil/passwd.c

===================================================================

RCS file: /cvs/src/lib/libutil/passwd.c,v

retrieving revision 1.20

retrieving revision 1.21

diff -u -r1.20 -r1.21

--- lib/libutil/passwd.c 1998/11/16 07:10:32 1.20

+++ lib/libutil/passwd.c 2000/06/30 16:00:07 1.21

@@ -579,7 +579,7 @@

  char   *master = pw_file(_PATH_MASTERPASSWD);



  if (err)

- warn(name);

+ warn("%s", name);

  if (master)

  warnx("%s: unchanged", master);

  pw_abort();