Formatting string bug on cyrus-sasl library

From: Kari Hurtta (hurtta+zzat_private)
Date: Wed Oct 31 2001 - 22:55:07 PST

  • Next message: Support Info: "Security Update: [CSSA-2001-037.0] Linux - libdb buffer overflow problem" 

    This issue may be already have been on list. I assume
that the moderator this case rejects this mail. 

On last non-beta version of cyrus-sasl library have 
formatting string bug on default logging callback.

Default cyrys sasl logging callback is

static int _sasl_syslog(void *context __attribute__((unused)),
                        int priority,
                        const char *message)

on end of that function there is is

    /* do the syslog call. do not need to call openlog */
    syslog(syslog_priority | LOG_AUTH, message);

    return SASL_OK;
}

syslog takes format string as argument.

That is cyrus-sasl-1.5.24. That is lastest non-beta version on
 ftp://ftp.andrew.cmu.edu/pub/cyrus-mail/


I have told that this is fixed on beta version.
================================================
From: Lawrence Greenfield
Date: Sun, 30 Sep 2001 10:12:19 -0400

If you take a look at
ftp://ftp.andrew.cmu.edu/pub/cyrus-mail/BETA/cyrus-sasl-1.5.27.tar.gz

you'll notice that it has bug #326 fixed.
================================================

Cyrus-sasl library is used on applications such as
	   Cyrus Imapd
	   OpenLDAP
	   Sendmail
	   and perhaps others.

If you do not want use beta version, you may fix that yourself.
For example something like

--- lib/common.c.orig	Maanantai Heinäkuu 17 20:21:02 2000
+++ lib/common.c	Tiistai Lokakuu  2 12:31:13 2001
@@ -596,7 +596,9 @@
     }
     
     /* do the syslog call. do not need to call openlog */
-    syslog(syslog_priority | LOG_AUTH, message);
+
+    /* Patched by Kari Hurtta -- 2001-10-02   */
+    syslog(syslog_priority | LOG_AUTH, "%s", message);
     
     return SASL_OK;
 }



Generally cyrus plugins does not log useraname or similar data to log,
but there is at least one plugin which seems indirectly call that
function  with user supplied data. You may also want check if there is
bad data logged in case of protocoll errors.


I should add that author does not believe that to be exploitable.
================================================
From: Lawrence Greenfield
Date: Sun, 30 Sep 2001 10:12:19 -0400

You'll notice that _sasl_syslog() is called only from _sasl_log(),
which does the format expansion itself.  I agree that the above is
poor programming (which is why it was fixed) but doesn't appear to be
exploitable (which is why I didn't rush out to release another libsasl
version).
================================================


My opinion is that it does not matter if _sasl_log()
does formatting. Call is something like

     log_helper_function("some text %s more text",user_data);

where user_data is passed from somewhere, and includes user suplied data.
_sasl_log() will produce from that string like

	 some text attack here more text

which is passed to syslog as format string.  Data from user_data 
("attack here") may include format arguments. Therefor formating done by 
_sasl_log() does not matter. _sasl_log() perhaps truncates data from 
user_data, but I do not think that it matters.

If you search that bugid

   http://bugzilla.andrew.cmu.edu/show_bug.cgi?id=326 

you notice that that bug is reported and fixed about one year ago.
So perhaps you have already hear about that...

-- 
          /"\                           |  Kari 
          \ /     ASCII Ribbon Campaign |    Hurtta
           X      Against HTML Mail     |
          / \                           |

    This archive was generated by hypermail 2b30 : Thu Nov 01 2001 - 09:58:54 PST