Bugtraq mailing list archives

Remote multiple vulnerability in apt-www-proxy.

From: "dong-h0un U" <xploit () hackermail com>
Date: Mon, 09 Dec 2002 04:58:52 +0800


        ========================================
        INetCop Security Advisory #2002-0x82-009
        ========================================


* Title: Remote multiple vulnerability in apt-www-proxy.


0x01. Description

__
bash$ lynx -dump http://ironsides.terrabox.com/~ahzz/apt-www-proxy/

                               apt-www-proxy

   apt-www-proxy is a proxy server designed specificly for apt-get
   http:// repositories. It gathers files that clients request, and then
   simultaneously retrieves, streams to client, and to local disk archive
   based on a set of archive mappings a lot like apt-proxy does. I
   decided to write this due to the unstable nature of apt-proxy. IMHO
   this is due to it being written in shell script. It's a good design,
   just was never implemented in the right kind of language.

   [1]apt-www-proxy 0.1 - accepts clients and automaticly says "not
   found". nifty eh? 8-P

   And of course, who would be without the [2]latest snapshot!

   Back to my [3]homepage!

References

   1. http://ironsides.terrabox.com/~ahzz/apt-www-proxy/apt-www-proxy-0.1.tar.gz
   2. http://ironsides.terrabox.com/~ahzz/apt-www-proxy/latest-AWP.tar.bz2
   3. http://ironsides.terrabox.com/~ahzz/index.html
bash$
--

OK, Let's analyze.

Examine syslog() function first.
There is awp_log() function to 173 lines of 'src/utils.c' code.

    __
   173  void awp_log(int level, const char *message)
        ...
   222    if((level < LOG_DEBUG) || (1 ==  logit))
   224        /* log that information */
   227            syslog(level, message); // Here.
        ...
    --

It's very bad state.
awp_log() function is used as follows.
Format string bug happens by setting file error log.

Let's find awp_log() function in 'apt-www-proxy.c' code.

    __
    47    awp_log(LOG_DATA, errlog);
    78    awp_log(LOG_DATA, errlog);
    93    awp_log(LOG_DATA, errlog);
   130                awp_log(LOG_DATA, errlog);
   146                awp_log(LOG_DATA, errlog);
   157            awp_log(LOG_GEN, errlog);
   287    awp_log(LOG_NOTICE, errlog);
   500        awp_log(LOG_NOTICE,errlog);
   510        awp_log(LOG_CRIT, errlog);
   527            awp_log(LOG_ERR, errlog);
   538    awp_log(LOG_INFO, errlog);
   546        awp_log(LOG_NOTICE, errlog);
   554        awp_log(LOG_NOTICE, errlog);
   560        awp_log(LOG_NOTICE, errlog);
   572        awp_log(LOG_NOTICE, errlog);
    --

Second, examine remote DoS vulnerability.
We read 'utils.c' code again.

    __
   260  int parse_get(struct client * client)
        ...
   268    /* now match against the archives */
   269    if(!strncmp("http://";, client->get, 7)) // Here.
   270      {
   271        /* AHHA! It's a full URL. */
    --

If 'client->get' value is NULL, strncmp() function segfault happens crash.
Program function execution structure is as following.

----------------------------------------------------------------------
main()->main_loop()->process_cli()->parse_get()->strncmp()->'segfault'
----------------------------------------------------------------------


0x02. Vulnerable Packages


Vendor site: http://ironsides.terrabox.com/~ahzz/apt-www-proxy/

apt-www-proxy 0.1
-apt-www-proxy-0.1.tar.gz
+Linux


0x03. Exploit


Do you want exploit code? Very regrettable. :-(
We don't want to compose DoS code.


0x04. Patch


=== utils.patch ===

--- utils.c     Mon Oct 22 15:20:29 2001
+++ utils.patch.c       Sat Nov 30 02:26:35 2002
@@ -224,11 +224,11 @@
       /* log that information */
       if(background)
        {
-         syslog(level, message);
+         syslog(level, "%s", message);
        }
       else
        {
-         fprintf(stderr, message);
+         fprintf(stderr, "%s", message);
        }
     }
 }
@@ -265,6 +265,10 @@
   struct urlmask *curu = urls;
   int found = 0;
 
+  if(client->get==NULL)
+  {
+      return(0);
+  }
   /* now match against the archives */
   if(!strncmp("http://";, client->get, 7))
     {

=== eof ===


P.S: Sorry, for my poor english.


--
By "dong-houn yoU" (Xpl017Elz), in INetCop(c) Security.

MSN & E-mail: szoahc(at)hotmail(dot)com,
              xploit(at)hackermail(dot)com

INetCop Security Home: http://www.inetcop.org (Korean hacking game)
             My World: http://x82.i21c.net

GPG public key: http://wizard.underattack.co.kr/~x82/h0me/pr0file/x82.k3y
--


-- 
_______________________________________________
Get your free email from http://www.hackermail.com

Powered by Outblaze
Current thread:

Remote multiple vulnerability in apt-www-proxy. dong-h0un U (Dec 10)
- <Possible follow-ups>
- Remote multiple vulnerability in apt-www-proxy. dong-h0un U (Dec 11)