ike-scan Local Format String

2003-06-12T22:40:59
ID OSVDB:2139
Type osvdb
Reporter OSVDB
Modified 2003-06-12T22:40:59

Description

Vulnerability Description

ike-scan 1.0 and 1.1 is vulnerable to a format string attack. This vulnerability can be used by a local user to gain a root shell on the system if ike-scan has been set to suid root. By default, ike-scan is not set to suid root, so there is no priviledge exploitation by default.

Technical Description

ike-scan 1.0 and 1.1 contain a format error in err_print() which can be exploited by a local user to gain a root shell on the system. In order for this exploit to work, ike-scan must be specifically set as suid root, which it is not by default.

Solution Description

Upgrade to ike-scan 1.2 or higher or unset suid root on ike-scan.

Short Description

ike-scan 1.0 and 1.1 is vulnerable to a format string attack. This vulnerability can be used by a local user to gain a root shell on the system if ike-scan has been set to suid root. By default, ike-scan is not set to suid root, so there is no priviledge exploitation by default.

Manual Testing Notes

Issue the following command:

./ike-scan %x

ike-scan[7372]: ImmunixOS format error - mismatch of 0 in syslog() called by err_print

There is also a public exploit 0x82-eat_ike-scan.c. This should prove exploitation if ike-scan is suid root.

References:

ISS X-Force ID: 12276 Generic Informational URL: http://www.secnetops.com/research/advisories/SRT2003-06-12-0853.txt Generic Informational URL: http://www.nta-monitor.com/ike-scan/ Generic Exploit URL: http://www.ibiblio.org/osvdb/exploits/0x82-eat_ike-scan.c Bugtraq ID: 7897