Re: Flightgear remote format string

[Andrés Gómez Ramírez <andresgomezram7 () gmail com>]

Hi,

The format string bug is located in the core functionality of flightgear.
What may differ is the way you can access the property tree, and so the
vulnerable code:

* The remote way, which is not activated by default, is accessible when
"telnet" or "props" options are passed to the program.

* The local way (not too interesting), the user modifies cloud parameters
through GUI window.

* And a third way I just realized out. Flightgear uses a script language
called Nasal. Nasal allows, among other things, to edit the property tree.
These scripts can be used directly from the models , aircrafts, airports,
etc - without any security check -
(http://wiki.flightgear.org/Howto:Nasal_in_scenery_object_XML_files)
so by loading a specially crafted model, the vulnerability can be thrown.

By the way reading a little more about Nasal (http://wiki.flightgear.org/
Howto:Making_HTTP_Requests_from_Nasal) it seems to be that you can do a lot
of weird things like make HTTP requests ... WTF!

So I theoretically could create an aircraft which does a lot of creative
web requests :\

Yes, one don't usually think that a flight simulator has those advanced
features.

Regards.

On Thu, May 2, 2013 at 10:48 AM, Christey, Steven M. <coley () mitre org>wrote:

> Andrés,
>
> Here is my interpretation of the problem.  I believe there is some
> confusion because people don't usually think that a flight simulator could
> be accessible from a "remote" location.
>
> Is the following correct?
>
> 1) The Flightgear package includes a network server.  This server can be
> run using fgfs.exe and specifying a port number using the "-telnet"
> argument, for example.
>
> 2) The format string problem is in the server.
>
> 3) Your exploit makes a connection to the server (on port 5501).
>
> 4) The exploit sends a number of format strings in the cloud names (using
> the "property tree").  For some reason, it sends the same command 5 times,
> and it sends this command for "layers" 1 through 5.
>
> 5) The exploit causes the server to crash.
>
> - Steve
>
> > -----Original Message-----
> > From: Andrés Gómez Ramírez [mailto:andresgomezram7 () gmail com]
> > Sent: Thursday, May 02, 2013 11:13 AM
> > To: kseifried () redhat com
> > Cc: oss-security () lists openwall com
> > Subject: Re: [oss-security] Flightgear remote format string
> >
> > > So it's not on by default? Is there any documentation specifically you
> > > can point me to regarding enabling/securing it?
> >
> > Hi,
> > the detailed info is in the reference:
> >
> > http://kuronosec.blogspot.com/2013/04/flightgear-remote-format-
> > string.html
> >
> > if you need more info, please let me know.



-- 
Andrés Gómez Ramírez | Analista de Diagnóstico
Fluidsignal Group S.A. | Where Security Meets Business
http://www.fluidsignal.com/ | ISO 9001:2008 / ISO 27001:2005