Advisory Name: Oops proxy server format string vulnerability in passwd_mysql/passwd_pgsql module Release Date: 04/14/2005 Application: Oops <=1.5.23 Site: http://oops-cache.org Platform: Linux and unix compatible Severity: Attacker can crash proxy server and possibly execute commands Author: Edisan RST/GHC OVERVIEW: Oops! - is a proxy server, the main aims of its development being stable operation, service speed, main protocols support, modularity, ease at use. The format string vulnerability found in MySQL/PgSQL authentification module. Successful exploitation may potentially allow execution of arbitrary code. DETAILS: The format string vulnerability lies within the auth() function which is declared in oops-1.5.23/src/modules/passwd_sql.c file ... MODULE_STATIC int auth(int so, struct group *group, struct request* rq, int *flags) { ... sprintf(logbuf,"auth(): request: " "ip=%d.%d.%d.%d host=%s method=%s\n", (rq->client_sa.sin_addr.s_addr ) & 0xff, (rq->client_sa.sin_addr.s_addr >> 8) & 0xff, (rq->client_sa.sin_addr.s_addr >> 16) & 0xff, (rq->client_sa.sin_addr.s_addr >> 24) & 0xff, rq->url.host, rq->method ); 573: my_xlog(OOPS_LOG_NOTICE|OOPS_LOG_DBG|OOPS_LOG_INFORM,logbuf); // <== Vulnerabiblity ... The function my_xlog() has located in oops-1.5.23/src"lib.c" tppabs="http://rst.void.ru/lib.c" file, and used arguments as a format string specifier to vsnprintf() my_xlog(int lvl, char *form, ...) { va_list ap; char ctbuf[80], *c; time_t now; void *self; char fbuf[256], *s = fbuf, *pe; int l, le; int err = ERRNO; ERRBUF ; if ( !TEST(lvl, verbosity_level) ) return; // <= passed by default .. .. if ( TEST(lvl, ~ OOPS_LOG_PRINT) ) { char *b1; int b1len; b1len = strlen(ctbuf) + 20; b1 = malloc(b1len); if ( b1 ) { char buf[256]; snprintf(b1, b1len-1, "%s [%p]", ctbuf, self); vsnprintf(buf, sizeof(buf)-1, fbuf, ap); // <= call vsnprintf(...) put_str_in_filebuff(b1, &logbuff); put_str_in_filebuff(buf, &logbuff); free(b1); } } if ( TEST(lvl, OOPS_LOG_PRINT) ) vprintf(fbuf, ap); // <== call vprintf(...) .. } EXPLOIT: A HTTP request of the following: ----8<-- GET http://%s%s%s%s%s%s%s%s/ HTTP/1.0 Host: ghc.ru Proxy-Authorization: Basic Z2hjOnJzdA== -->8---- will cause program segfault SOLUTION: The patch is included here: --- passwd_sql.c 2002-03-09 20:46:02.000000000 +0300 +++ passwd_sql.c 2005-04-13 11:02:44.950595216 +0400 @@ -570,7 +570,7 @@ rq->url.host, rq->method ); - my_xlog(OOPS_LOG_NOTICE|OOPS_LOG_DBG|OOPS_LOG_INFORM,logbuf); + my_xlog(OOPS_LOG_NOTICE|OOPS_LOG_DBG|OOPS_LOG_INFORM, "%s", logbuf); if ( rq->av_pairs) authorization = attr_value(rq->av_pairs, "Proxy-Authorization"); CREDITS: Discovery of this issue is credited to RST/GHC. http://rst.void.ru http://www.ghc.ru