[CERT-intexxia] AOLServer DB Proxy Daemon Format String Vulnerability

From: Benoît Roussel (benoit.rousselat_private)
Date: Tue Apr 16 2002 - 04:53:22 PDT

  • Next message: Franck Coppola: "Re: Remote buffer overflow in Webalizer" 

    -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

________________________________________________________________________
SECURITY ADVISORY                                            INTEXXIA(c)
30 01 2002                                               ID #1052-300102
________________________________________________________________________
TITLE   : AOLServer DB Proxy Daemon Format String Vulnerability
CREDITS : Guillaume Pelat found this vulnerability / INTEXXIA
________________________________________________________________________


SYSTEM AFFECTED
===============

        AOLServer 3.4.2
        AOLServer 3.4.1
        AOLServer 3.4
        AOLServer 3.3.1
        AOLServer 3.2.1
        AOLServer 3.2
        AOLServer 3.1
        AOLServer 3.0


________________________________________________________________________


DESCRIPTION
===========

        The Laboratory  intexxia found  a format string vulnerability in
the AOL Server external database driver proxy daemon API that could lead
to a privilege escalation.


________________________________________________________________________


DETAILS
=======

        AOL Server provides  an API  to develop external database driver
proxy daemons. Those daemons are linked to a library (libnspd.a).

The Laboratory  intexxia found  a format  string and  a buffer  overflow
vulnerability in  the 'Ns_PdLog'  function of  the  library.  Successful
exploitation of the bug could allow an  attacker to execute code and get
access on the system.

As a result, all  the External Driver Proxy Daemons using the 'Ns_PdLog'
function  with  the  'Error'   or  'Notice'  parameter  are  potentially
vulnerable.


________________________________________________________________________


SOLUTION
========

        This vulnerability has been  fixed in the current version in CVS
branch  nsd_v3_r3_p0 (post-AOLserver  3.4.2) and  can  be  used  for any
affected version.  The patch  used was  created by  intexxia and  can be
found in  attachment. More  information can  be found  at the  following
URL :

http://cvs.sourceforge.net/cgi-bin/viewcvs.cgi/aolserver/aolserver/nspd/log.c.diff?r1=1.4&r2=1.4.6.1


________________________________________________________________________


VENDOR STATUS
=============

        14-03-2002 : This bulletin was sent to the developpement team.
        19-03-2002 : The vendor confirmed the vulnerability and fixed it
                     in  the  CVS  branch  nsd_v3_r3_p0  (post-AOLserver
                     3.4.2).


________________________________________________________________________


LEGALS
======

        AOL Server is a registered trademark.


        Intexxia provides this  information  as a public service and "as
is". Intexxia  will not be  held accountable for  any damage or distress
caused by the proper or improper usage of these materials.


        (c) intexxia 2002. This  document is property  of intexxia. Feel
free to use and distribute  this material as long as  credit is given to
intexxia and the author.


________________________________________________________________________


CONTACT
=======

CERT intexxia                                          certat_private
INTEXXIA                                         http://www.intexxia.com
171, av. Georges Clemenceau                 Standard : +33 1 55 69 49 10
92024 Nanterre Cedex - France                    Fax : +33 1 55 69 78 80

-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 7.0.3 for non-commercial use <http://www.pgp.com>

iQA/AwUBPLwQr02N8BNyNDXLEQK7yQCfVh/7x6yBxWKEi5iwRDaHEHuilGUAoN+u
14o6inQET/8E4GdnfqgS6Jtj
=YKem
-----END PGP SIGNATURE-----

    This archive was generated by hypermail 2b30 : Tue Apr 16 2002 - 23:39:14 PDT