Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Mon, 31 Aug 2009 18:50:50 +0200
From: Nico Golde <oss-security+ml@...lde.de>
To: oss-security@...ts.openwall.com
Subject: CVE id request: silc-toolkit

Hi,
silc-toolkit upstream fixed [0] various security issues which 
from my assessment allow an attacker arbitrary code 
execution. I'd like to get some CVE ids for these.

|    ASN1: Fix stack variable overwrite when encoding OID.
|
|    The call to sscanf specifies a format string of "%lu", a long unsigned
|    int.  The pointer argument was cast to unsigned long *, but this is
|    wrong for 64 bit systems.  On 64 bit systems, unsigned long is 64 bits,
|    but the oid value is a SilcUInt32 on all systems.  As a result, sscanf
|    will overwrite a neighboring variable on the stack.  Fix this by
|    changing the format string to "%u" and removing the cast.

|    Fixed string format vulnerability in client entry handling.
|
|    Reported and patch provided by William Cummings.

This one allows an attacker to execute arbitrary code, tested.

|     More string format fixes in silcd and client libary

From what I see this is only a problem if full_channel_names settings is used in
SilcClientParams and can't be triggered by an attacker but only by the victim,
maybe I miss something, I'm not that familar with the silc protocol.

|    HTTP: fix stack overwrite due to format string error.
|    
|    On AMD64, %lu refers to a 64-bit unsigned value, but the address passed
|    to sscanf points to a 32-bit unsigned value.  This causes an adjoining
|    value on the stack to be overwritten with data from the converted
|    integer.  Fix the format string to match the size of the supplied value,
|    and remove the pointer cast.

This is only a problem if the internal http server e.g. for checking stats
is enabled.

Can I get CVE ids for the above issues?
The upstream patch is attached.

Cheers
Nico

[0] http://silcnet.org/docs/changelog/SILC%20Toolkit%201.1.10


-- 
Nico Golde - http://www.ngolde.de - nion@...ber.ccc.de - GPG: 0xA0A0AAAA
For security reasons, all text in this mail is double-rot13 encrypted.

commit 25a6a61ecf6561bdb00e289175989e28d0fb26bb
Author: kp@...hallalegends.com <kp@...hallalegends.com>
Date:   Sat May 31 16:37:45 2008 -0500

    ASN1: Fix stack variable overwrite when encoding OID.
    
    The call to sscanf specifies a format string of "%lu", a long unsigned
    int.  The pointer argument was cast to unsigned long *, but this is
    wrong for 64 bit systems.  On 64 bit systems, unsigned long is 64 bits,
    but the oid value is a SilcUInt32 on all systems.  As a result, sscanf
    will overwrite a neighboring variable on the stack.  Fix this by
    changing the format string to "%u" and removing the cast.

diff --git a/lib/silcasn1/silcasn1_encode.c b/lib/silcasn1/silcasn1_encode.c
index 8586a8c..3027129 100644
--- a/lib/silcasn1/silcasn1_encode.c
+++ b/lib/silcasn1/silcasn1_encode.c
@@ -351,7 +351,7 @@ silc_asn1_encoder(SilcAsn1 asn1, SilcStack stack1, SilcStack stack2,
 	/* Get OID words from the string */
 	cp = strchr(oidstr, '.');
 	while (cp) {
-	  if (sscanf(oidstr, "%lu", (unsigned long *)&oid) != 1) {
+	  if (sscanf(oidstr, "%u", &oid) != 1) {
 	    SILC_LOG_DEBUG(("Malformed OID string"));
 	    goto fail;
 	  }
@@ -362,7 +362,7 @@ silc_asn1_encoder(SilcAsn1 asn1, SilcStack stack1, SilcStack stack2,
 	  cp = strchr(oidstr, '.');
 
 	  if (!cp) {
-	    if (sscanf(oidstr, "%lu", (unsigned long *)&oid) != 1) {
+	    if (sscanf(oidstr, "%u", &oid) != 1) {
 	      SILC_LOG_DEBUG(("Malformed OID string"));
 	      goto fail;
 	    }

commit 9c93e2c6df752c32bcb64335b418523aae331715
Author: Pekka Riikonen <priikone@...cnet.org>
Date:   Fri Jul 31 22:32:57 2009 +0300

    Fixed string format vulnerability in client entry handling.
    
    Reported and patch provided by William Cummings.

diff --git a/lib/silcclient/client_entry.c b/lib/silcclient/client_entry.c
index 4ec2e0a..6d125b5 100644
--- a/lib/silcclient/client_entry.c
+++ b/lib/silcclient/client_entry.c
@@ -800,10 +800,10 @@ SilcClientEntry silc_client_add_client(SilcClient client,
 		      client_entry->server, sizeof(client_entry->server));
   if (nickname && client->internal->params->full_nicknames)
     silc_snprintf(client_entry->nickname, sizeof(client_entry->nickname),
-		  nickname);
+		  "%s", nickname);
   else if (nickname)
     silc_snprintf(client_entry->nickname, sizeof(client_entry->nickname),
-		  parsed);
+		  "%s", parsed);
 
   silc_parse_userfqdn(username, client_entry->username,
 		      sizeof(client_entry->username),
@@ -890,10 +890,10 @@ void silc_client_update_client(SilcClient client,
 			client_entry->server, sizeof(client_entry->server));
     if (client->internal->params->full_nicknames)
       silc_snprintf(client_entry->nickname, sizeof(client_entry->nickname),
-		    nickname);
+		    "%s", nickname);
     else
       silc_snprintf(client_entry->nickname, sizeof(client_entry->nickname),
-		    parsed);
+		    "%s", parsed);
 
     /* Normalize nickname */
     nick = silc_identifier_check(parsed, strlen(parsed),
@@ -1186,7 +1186,7 @@ SilcClientEntry silc_client_nickname_format(SilcClient client,
         return NULL;
 
       silc_snprintf(client_entry->nickname, sizeof(client_entry->nickname),
-		    cp);
+		    "%s", cp);
       silc_free(cp);
     }
 

commit a785cba501a940921d215c18bc410a53bf1b12e8
Author: Pekka Riikonen <priikone@...cnet.org>
Date:   Fri Aug 7 14:48:46 2009 +0300

    More string format fixes in silcd and client libary

diff --git a/lib/silcclient/command.c b/lib/silcclient/command.c
index a9f9502..71fd348 100644
--- a/lib/silcclient/command.c
+++ b/lib/silcclient/command.c
@@ -955,7 +955,7 @@ SILC_FSM_STATE(silc_client_command_topic)
     }
 
     if (client->internal->params->full_channel_names)
-      silc_snprintf(tmp, sizeof(tmp), conn->current_channel->channel_name);
+      silc_snprintf(tmp, sizeof(tmp), "%s", conn->current_channel->channel_name);
     else
       silc_snprintf(tmp, sizeof(tmp), "%s%s%s",
 		    conn->current_channel->channel_name,
@@ -2143,7 +2143,7 @@ SILC_FSM_STATE(silc_client_command_kick)
     }
 
     if (client->internal->params->full_channel_names)
-      silc_snprintf(tmp, sizeof(tmp), conn->current_channel->channel_name);
+      silc_snprintf(tmp, sizeof(tmp), "%s", conn->current_channel->channel_name);
     else
       silc_snprintf(tmp, sizeof(tmp), "%s%s%s",
 		    conn->current_channel->channel_name,
@@ -2553,7 +2553,7 @@ SILC_FSM_STATE(silc_client_command_leave)
     }
 
     if (client->internal->params->full_channel_names)
-      silc_snprintf(tmp, sizeof(tmp), conn->current_channel->channel_name);
+      silc_snprintf(tmp, sizeof(tmp), "%s", conn->current_channel->channel_name);
     else
       silc_snprintf(tmp, sizeof(tmp), "%s%s%s",
 		    conn->current_channel->channel_name,
@@ -2620,7 +2620,7 @@ SILC_FSM_STATE(silc_client_command_users)
     }
 
     if (conn->client->internal->params->full_channel_names)
-      silc_snprintf(tmp, sizeof(tmp), conn->current_channel->channel_name);
+      silc_snprintf(tmp, sizeof(tmp), "%s", conn->current_channel->channel_name);
     else
       silc_snprintf(tmp, sizeof(tmp), "%s%s%s",
 		    conn->current_channel->channel_name,

commit f9acb085b819a7d0c6b3e9f40bc78f26bc2d429b
Author: kp@...hallalegends.com <kp@...hallalegends.com>
Date:   Fri Dec 12 21:38:54 2008 -0600

    HTTP: fix stack overwrite due to format string error.
    
    On AMD64, %lu refers to a 64-bit unsigned value, but the address passed
    to sscanf points to a 32-bit unsigned value.  This causes an adjoining
    value on the stack to be overwritten with data from the converted
    integer.  Fix the format string to match the size of the supplied value,
    and remove the pointer cast.

diff --git a/lib/silchttp/silchttpserver.c b/lib/silchttp/silchttpserver.c
index fba3ba0..88d6174 100644
--- a/lib/silchttp/silchttpserver.c
+++ b/lib/silchttp/silchttpserver.c
@@ -194,7 +194,7 @@ static SilcBool silc_http_server_parse(SilcHttpServer httpd,
 
     /* Check we have received all data */
     cl = silc_mime_get_field(conn->curheaders, "Content-Length");
-    if (cl && sscanf(cl, "%lu", (unsigned long *)&cll) == 1) {
+    if (cl && sscanf(cl, "%u", &cll) == 1) {
       if (data_len < cll) {
 	/* More data to come */
 	silc_mime_free(conn->curheaders);



[ CONTENT OF TYPE application/pgp-signature SKIPPED ]

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ