Advisory Name: Oops proxy server format string vulnerability in passwd_mysql/passwd_pgsql module
Release Date: 04/14/2005
Application: Oops <=1.5.23
Site: http://oops-cache.org
Platform: Linux and unix compatible
Severity: Attacker can crash proxy server and possibly execute commands
Author: Edisan
RST/GHC
OVERVIEW:
Oops! - is a proxy server, the main aims of its development being stable operation,
service speed, main protocols support, modularity, ease at use.
The format string vulnerability found in MySQL/PgSQL authentification module.
Successful exploitation may potentially allow execution of arbitrary code.
DETAILS:
The format string vulnerability lies within the auth() function
which is declared in oops-1.5.23/src/modules/passwd_sql.c file
...
MODULE_STATIC
int auth(int so, struct group *group, struct request* rq, int *flags)
{
...
sprintf(logbuf,"auth(): request: "
"ip=%d.%d.%d.%d host=%s method=%s\n",
(rq->client_sa.sin_addr.s_addr ) & 0xff,
(rq->client_sa.sin_addr.s_addr >> 8) & 0xff,
(rq->client_sa.sin_addr.s_addr >> 16) & 0xff,
(rq->client_sa.sin_addr.s_addr >> 24) & 0xff,
rq->url.host,
rq->method
);
573: my_xlog(OOPS_LOG_NOTICE|OOPS_LOG_DBG|OOPS_LOG_INFORM,logbuf); // <== Vulnerabiblity
...
The function my_xlog() has located in oops-1.5.23/src"lib.c" tppabs="http://rst.void.ru/lib.c" file, and used arguments as a format string specifier to vsnprintf()
my_xlog(int lvl, char *form, ...)
{
va_list ap;
char ctbuf[80], *c;
time_t now;
void *self;
char fbuf[256], *s = fbuf, *pe;
int l, le;
int err = ERRNO;
ERRBUF ;
if ( !TEST(lvl, verbosity_level) ) return; // <= passed by default
..
..
if ( TEST(lvl, ~ OOPS_LOG_PRINT) ) {
char *b1;
int b1len;
b1len = strlen(ctbuf) + 20;
b1 = malloc(b1len);
if ( b1 ) {
char buf[256];
snprintf(b1, b1len-1, "%s [%p]", ctbuf, self);
vsnprintf(buf, sizeof(buf)-1, fbuf, ap); // <= call vsnprintf(...)
put_str_in_filebuff(b1, &logbuff);
put_str_in_filebuff(buf, &logbuff);
free(b1);
}
}
if ( TEST(lvl, OOPS_LOG_PRINT) )
vprintf(fbuf, ap); // <== call vprintf(...)
..
}
EXPLOIT:
A HTTP request of the following:
----8<--
GET http://%s%s%s%s%s%s%s%s/ HTTP/1.0
Host: ghc.ru
Proxy-Authorization: Basic Z2hjOnJzdA==
-->8----
will cause program segfault
SOLUTION:
The patch is included here:
--- passwd_sql.c 2002-03-09 20:46:02.000000000 +0300
+++ passwd_sql.c 2005-04-13 11:02:44.950595216 +0400
@@ -570,7 +570,7 @@
rq->url.host,
rq->method
);
- my_xlog(OOPS_LOG_NOTICE|OOPS_LOG_DBG|OOPS_LOG_INFORM,logbuf);
+ my_xlog(OOPS_LOG_NOTICE|OOPS_LOG_DBG|OOPS_LOG_INFORM, "%s", logbuf);
if ( rq->av_pairs)
authorization = attr_value(rq->av_pairs, "Proxy-Authorization");
CREDITS:
Discovery of this issue is credited to RST/GHC.
http://rst.void.ru
http://www.ghc.ru