Formatting string bug on cyrus-sasl library

2001-11-02T00:00:00
ID SECURITYVULNS:DOC:2149
Type securityvulns
Reporter Securityvulns
Modified 2001-11-02T00:00:00

Description

This issue may be already have been on list. I assume that the moderator this case rejects this mail.

On last non-beta version of cyrus-sasl library have formatting string bug on default logging callback.

Default cyrys sasl logging callback is

static int _sasl_syslog(void context attribute((unused)), int priority, const char message)

on end of that function there is is

/* do the syslog call. do not need to call openlog */
syslog(syslog_priority | LOG_AUTH, message);

return SASL_OK;

}

syslog takes format string as argument.

That is cyrus-sasl-1.5.24. That is lastest non-beta version on ftp://ftp.andrew.cmu.edu/pub/cyrus-mail/

I have told that this is fixed on beta version.

From: Lawrence Greenfield Date: Sun, 30 Sep 2001 10:12:19 -0400

If you take a look at ftp://ftp.andrew.cmu.edu/pub/cyrus-mail/BETA/cyrus-sasl-1.5.27.tar.gz

you'll notice that it has bug #326 fixed.

Cyrus-sasl library is used on applications such as Cyrus Imapd OpenLDAP Sendmail and perhaps others.

If you do not want use beta version, you may fix that yourself. For example something like

--- lib/common.c.orig Maanantai Heinдkuu 17 20:21:02 2000 +++ lib/common.c Tiistai Lokakuu 2 12:31:13 2001 @@ -596,7 +596,9 @@ }

 /* do the syslog call. do not need to call openlog */
  • syslog(syslog_priority | LOG_AUTH, message); +
  • / Patched by Kari Hurtta -- 2001-10-02 /
  • syslog(syslog_priority | LOG_AUTH, "%s", message);

    return SASL_OK; }

Generally cyrus plugins does not log useraname or similar data to log, but there is at least one plugin which seems indirectly call that function with user supplied data. You may also want check if there is bad data logged in case of protocoll errors.

I should add that author does not believe that to be exploitable.

From: Lawrence Greenfield Date: Sun, 30 Sep 2001 10:12:19 -0400

You'll notice that _sasl_syslog() is called only from _sasl_log(), which does the format expansion itself. I agree that the above is poor programming (which is why it was fixed) but doesn't appear to be exploitable (which is why I didn't rush out to release another libsasl version). ================================================

My opinion is that it does not matter if _sasl_log() does formatting. Call is something like

 log_helper_function("some text %s more text",user_data);

where user_data is passed from somewhere, and includes user suplied data. _sasl_log() will produce from that string like

     some text attack here more text

which is passed to syslog as format string. Data from user_data ("attack here") may include format arguments. Therefor formating done by _sasl_log() does not matter. _sasl_log() perhaps truncates data from user_data, but I do not think that it matters.

If you search that bugid

http://bugzilla.andrew.cmu.edu/show_bug.cgi?id=326

you notice that that bug is reported and fixed about one year ago. So perhaps you have already hear about that...

-- /"\ | Kari \ / ASCII Ribbon Campaign | Hurtta X Against HTML Mail | / \ |