[ advisories | exploits | discussions | news | conventions | security tools | texts & papers ]
 main menu
- feedback
- advertising
- privacy
- FightAIDS
- newsletter
- news
 
 discussions
- read forum
- new topic
- search
 

 meetings
- meetings list
- recent additions
- add your info
 
 top 100 sites
- visit top sites
- sign up now
- members
 
 webmasters

- add your url
- add domain
- search box
- link to us

 
 projects
- our projects
- free email
 
 m4d network
- security software
- secureroot
- m4d.com
Home : Advisories : FWTK x-gw format bug

Title: FWTK x-gw format bug
Released by: geekgang
Date: 26th October 2000
Printable version: Click here 
              geekgang Security Advisory [gsa2000-01]



                        [www.geekgang.co.uk]

                      © Copyright 2000 geekgang



ID:             geekgang GSA2000-01 01 v1.0

Topic:          FWTK x-gw format bug

Status:         Release 26th October, 2000

Author:         pre



Credit:         Pekka Savola found the potential problem in the code



[Abstract]

The x-gw (X Windows gateway) component of the TIS Firewall Toolkit

(FWTK) contains a format bug vulnerability that may be exploitable

within some installations, allowing users to execute arbitrary code.



[Description]

The FWTK contains a set of proxy applications that are designed to aid a



computing professional in building a firewall system. It is not a

complete firewall product within itself. As such it is impossible to

ascertain all the different configurations in which the various parts of



the FWTK have been installed.



The x-gw component is designed to proxy connections bewteen X Windows

clients and servers. It would normally be invoked via the tn-gw (Telnet

gateway) component of the FWTK. Installations using this tn-gw

invocation method of the x-gw are not vulnerable to this problem due to

pre-processing of input data that is performed by the tn-gw.

Installations using any other method to invoke the x-gw should check

their vulnerability status.



The x-gw takes the X Windows display to connect to as a command line

parameter or environment variable. It performs some sanity checking on

this input and reports an error if the checks fail. The function that

outputs the error message has a format bug, and uses the supplied

display string as part of the output.



The function at fault is pmsg() in the source file x-gw/pmsg.c



[Solution]

Patch:



--- x-gw/pmsg.c.orig Mon Oct 23 13:21:26 2000

+++ x-gw/pmsg.c Mon Oct 23 13:22:36 2000

@@ -37,9 +37,9 @@

  buf[sizeof(buf)-1] = '\0';

    }



-   if( uselog ) syslog( LLEV, buf );

+   if( uselog ) syslog( LLEV, "%s", buf );

    else {

-       fprintf( stderr, buf );

+       fprintf( stderr, "%s", buf );

        fflush(stderr);

    }

 }



[Exploit]

An exploit for this vulnerability will be made available on the geekgang



website.



[Disclaimer]

THE INFORMATION CONTAINED IN THIS ADVISORY IS BELIEVED TO BE ACCURATE ,

BUT NO REPRESENTATION OR WARRANTY IS GIVEN, EXPRESS OR IMPLIED, AS TO

ITS ACCURACY OR COMPLETENESS. NEITHER THE AUTHOR NOR THE PUBLISHER

ACCEPTS ANY LIABILITY WHATSOEVER FOR ANY DIRECT, INDIRECT OR

CONSEQUENTIAL LOSS OR DAMAGE ARISING IN ANY WAY FROM ANY USE OF, OR

RELIANCE PLACED ON, THIS INFORMATION FOR ANY PURPOSE. THIS ADVISORY MAY

BE REDISTRIBUTED PROVIDED THAT NO FEE IS ASSIGNED AND THAT THE ADVISORY

IS NOT MODIFIED IN ANY WAY.






(C) 1999-2000 All rights reserved.