HylaFAX.org Security Advisory 17 June 2002 Subject: Various Vulnerabilities Fixed Introduction: HylaFAX is a mature (est. 1991) enterprise-class open-source software package for sending and receiving facsimiles as well as for sending alpha-numeric pages. It runs on a wide variety of UNIX-like platforms including Linux, BSD (including Mac OS X), SunOS and Solaris, SCO, IRIX, AIX, and HP-UX. See http://www.hylafax.org HylaFAX.org has hosted, distributed, and directed HylaFAX software development since 1997. iFax Solutions is the commercial support arm of HylaFAX.org and provides single-incident or annual support contracts as well as other commercial support options. See http://www.hylafax.org/support.html Problem Description and Impact: iFax Solutions recently discovered that HylaFAX faxgetty in versions prior to 4.1.3 does not check the TSI string which is received from the remote facsimile system before it uses it in logging and elsewhere. However, reception protocol limits the length of the TSI string to twenty characters. Consequently, a remote sender with a specially-formatted TSI string can cause faxgetty to segmentation fault, and although it is unlikely that this could be used to execute arbitrary commands, it does expose an easily exploitable denial of service vulnerability. Development discussion to eliminate this vulnerability is available at: http://bugs.hylafax.org/bugzilla/show_bug.cgi?id=300 Christer Oberg reported on Bugtraq in September 2001 that HylaFAX faxrm and faxalter had format strings vulnerabilities (see http://www.securityfocus.com/archive/1/215984). HylaFAX development found this vulnerability to be applicable to all executables in versions prior to 4.1.3 which accept the "-h host" option because the mentioned user input was not checked before sending an error message to standard error/output. These binaries include faxalter, faxrm, faxstat, sendfax, sendpage, and faxwatch. In distributions such as FreeBSD which independently made any of these binaries set-uid (not the HylaFAX default), an attacker could use these vulnerabilites to gain elevated system privileges. Development discussion to eliminate these vulnerabilities is available at: http://bugs.hylafax.org/bugzilla/show_bug.cgi?id=202 CAN-2001-1034 was assigned to this vulnerability. See http://www.securityfocus.com/bid/3357 for details. In recent testing, Lee Howard discovered that faxgetty would segfault due to a buffer overflow after receiving a very large line of image data. Potentially, this vulnerability could allow an attacker to maliciously craft an exploiting faxsend mechanism to call a vulnerable host, conceivably using the buffer overflow to execute arbitrary commands on the host system. Since on most installations faxgetty is run as root, such an exploitation would allow the abuse of root permissions. This vulnerability could more easily be abused for denial of service purposes. Development discussion to eliminate this vulnerability is available at: http://bugs.hylafax.org/bugzilla/show_bug.cgi?id=312 Status: HylaFAX development has corrected all of the vulnerabilities described here as well as provided numerous other bugfixes and enhancements in its recent 4.1.3 patchlevel code release. All users are strongly encouraged to upgrade. See http://www.hylafax.org/download.html to obtain 4.1.3 source code. For users who are somehow unable to upgrade, HylaFAX CVS-based patches are available for these vulnerabilities individually at http://bugs.hylafax.org/bugzilla/attachment.cgi?id=290&action=view, http://bugs.hylafax.org/bugzilla/attachment.cgi?id=300&action=view, and http://bugs.hylafax.org/bugzilla/attachment.cgi?id=318&action=view respectively. There are no known exploits for any of the described vulnerabilities beyond what is stated above. Thanks: Special thanks goes to iFax Solutions and Christer Oberg for pointing out these vulnerabilities to HylaFAX development. Many thanks also go to Vyacheslav Frolov and Patrice Fournier for their development work in providing these patches. -- Lee Howard HylaFAX Support Engineer iFax Solutions, Inc. lee.howardat_private
This archive was generated by hypermail 2b30 : Mon Jul 29 2002 - 11:01:01 PDT