****************************************
* IMPORTANT *
* PLEASE DO NOT ACT ON OR PUBLISH THIS *
* BEFORE THE RELEASE DATE *
****************************************
Hello,
Ulf Harnhammar and Max Vozeler from the Debian Security Audit Project
have found several format string security bugs in Osiris. They
are caused by having user-controlled data as the format string to
syslog(3) instead of utilizing a fixed format string such as "%s",
and they cause crashes or the execution of arbitrary machine code.
The format string bugs affect Debian stable, testing and unstable
as well as the latest upstream release and upstream's trunk in
their Subversion repository.
The osirismd server can be exploited by connecting to it from a
machine with a malicious hostname:
echo '127.4.0.1 AAAA|%537$n' >> /etc/hosts
nc 127.4.0.1 2266
It thus works from unauthorized hosts only (which is everything
but 127.0.0.1 in the Debian default config) and requires control
of the corresponding PTR entries in the DNS, making it slightly
harder to exploit.
The osirisd server can be exploited by sending malicious SSL
certificates to it. See the attached proof-of-concept program
osirisd.py that should be run in this manner:
python osirisd.py localhost 2265
I have attached a patch against Debian stable that corrects the
issues. It should be trivial to port it to other versions of Osiris.
I hope that we can cooperate by agreeing on an official release date,
when we will make this information public in a coordinated manner.
// Ulf Harnhammar, Debian Security Audit Project
http://www.debian.org/security/audit/
osiris.formatstringbugs.patch
Description: Text document
osirisd.py
Description: Text Data
_______________________________________________
Debian-audit mailing list
Debian-audit@xxxxxxxxxxxxx
http://shellcode.org/mailman/listinfo/debian-audit
| 
