Date: Thu, 2 May 2013 21:40:22 -0500 From: Andrés Gómez Ramírez <andresgomezram7@...il.com> To: "Christey, Steven M." <coley@...re.org> Cc: "oss-security@...ts.openwall.com" <oss-security@...ts.openwall.com>, "kseifried@...hat.com" <kseifried@...hat.com> Subject: Re: Flightgear remote format string Hi, The format string bug is located in the core functionality of flightgear. What may differ is the way you can access the property tree, and so the vulnerable code: * The remote way, which is not activated by default, is accessible when "telnet" or "props" options are passed to the program. * The local way (not too interesting), the user modifies cloud parameters through GUI window. * And a third way I just realized out. Flightgear uses a script language called Nasal. Nasal allows, among other things, to edit the property tree. These scripts can be used directly from the models , aircrafts, airports, etc - without any security check - (http://wiki.flightgear.org/Howto:Nasal_in_scenery_object_XML_files) so by loading a specially crafted model, the vulnerability can be thrown. By the way reading a little more about Nasal (http://wiki.flightgear.org/ Howto:Making_HTTP_Requests_from_Nasal) it seems to be that you can do a lot of weird things like make HTTP requests ... WTF! So I theoretically could create an aircraft which does a lot of creative web requests :\ Yes, one don't usually think that a flight simulator has those advanced features. Regards. On Thu, May 2, 2013 at 10:48 AM, Christey, Steven M. <coley@...re.org>wrote: > Andrés, > > Here is my interpretation of the problem. I believe there is some > confusion because people don't usually think that a flight simulator could > be accessible from a "remote" location. > > Is the following correct? > > 1) The Flightgear package includes a network server. This server can be > run using fgfs.exe and specifying a port number using the "-telnet" > argument, for example. > > 2) The format string problem is in the server. > > 3) Your exploit makes a connection to the server (on port 5501). > > 4) The exploit sends a number of format strings in the cloud names (using > the "property tree"). For some reason, it sends the same command 5 times, > and it sends this command for "layers" 1 through 5. > > 5) The exploit causes the server to crash. > > - Steve > > >-----Original Message----- > >From: Andrés Gómez Ramírez [mailto:andresgomezram7@...il.com] > >Sent: Thursday, May 02, 2013 11:13 AM > >To: kseifried@...hat.com > >Cc: oss-security@...ts.openwall.com > >Subject: Re: [oss-security] Flightgear remote format string > > > >> > >> So it's not on by default? Is there any documentation specifically you > >> can point me to regarding enabling/securing it? > >> > > > >Hi, > >the detailed info is in the reference: > > > >http://kuronosec.blogspot.com/2013/04/flightgear-remote-format- > >string.html > > > >if you need more info, please let me know. > -- Andrés Gómez Ramírez | Analista de Diagnóstico Fluidsignal Group S.A. | Where Security Meets Business http://www.fluidsignal.com/ | ISO 9001:2008 / ISO 27001:2005
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.