Formatting string bug on cyrus-sasl library

[Kari Hurtta <hurtta+zz () leija mh fmi fi>]

This issue may be already have been on list. I assume
that the moderator this case rejects this mail. 

On last non-beta version of cyrus-sasl library have 
formatting string bug on default logging callback.

Default cyrys sasl logging callback is

static int _sasl_syslog(void *context __attribute__((unused)),
                        int priority,
                        const char *message)

on end of that function there is is

    /* do the syslog call. do not need to call openlog */
    syslog(syslog_priority | LOG_AUTH, message);

    return SASL_OK;
}

syslog takes format string as argument.

That is cyrus-sasl-1.5.24. That is lastest non-beta version on
 ftp://ftp.andrew.cmu.edu/pub/cyrus-mail/


I have told that this is fixed on beta version.
================================================
From: Lawrence Greenfield
Date: Sun, 30 Sep 2001 10:12:19 -0400

If you take a look at
ftp://ftp.andrew.cmu.edu/pub/cyrus-mail/BETA/cyrus-sasl-1.5.27.tar.gz

you'll notice that it has bug #326 fixed.
================================================

Cyrus-sasl library is used on applications such as
           Cyrus Imapd
           OpenLDAP
           Sendmail
           and perhaps others.

If you do not want use beta version, you may fix that yourself.
For example something like

--- lib/common.c.orig   Maanantai Heinäkuu 17 20:21:02 2000
+++ lib/common.c        Tiistai Lokakuu  2 12:31:13 2001
@@ -596,7 +596,9 @@
     }
     
     /* do the syslog call. do not need to call openlog */
-    syslog(syslog_priority | LOG_AUTH, message);
+
+    /* Patched by Kari Hurtta -- 2001-10-02   */
+    syslog(syslog_priority | LOG_AUTH, "%s", message);
     
     return SASL_OK;
 }



Generally cyrus plugins does not log useraname or similar data to log,
but there is at least one plugin which seems indirectly call that
function  with user supplied data. You may also want check if there is
bad data logged in case of protocoll errors.


I should add that author does not believe that to be exploitable.
================================================
From: Lawrence Greenfield
Date: Sun, 30 Sep 2001 10:12:19 -0400

You'll notice that _sasl_syslog() is called only from _sasl_log(),
which does the format expansion itself.  I agree that the above is
poor programming (which is why it was fixed) but doesn't appear to be
exploitable (which is why I didn't rush out to release another libsasl
version).
================================================


My opinion is that it does not matter if _sasl_log()
does formatting. Call is something like

     log_helper_function("some text %s more text",user_data);

where user_data is passed from somewhere, and includes user suplied data.
_sasl_log() will produce from that string like

         some text attack here more text

which is passed to syslog as format string.  Data from user_data 
("attack here") may include format arguments. Therefor formating done by 
_sasl_log() does not matter. _sasl_log() perhaps truncates data from 
user_data, but I do not think that it matters.

If you search that bugid

   http://bugzilla.andrew.cmu.edu/show_bug.cgi?id=326 

you notice that that bug is reported and fixed about one year ago.
So perhaps you have already hear about that...

-- 
          /"\                           |  Kari 
          \ /     ASCII Ribbon Campaign |    Hurtta
           X      Against HTML Mail     |
          / \                           |