security advisory - OpenVMPS

2005-10-10T00:00:00
ID SECURITYVULNS:DOC:9889
Type securityvulns
Reporter Securityvulns
Modified 2005-10-10T00:00:00

Description

security advisory - OpenVMPS

What is it?

OpenVMPS is a substitute implementation of Cisco Virtual Membership Policy Server (on Catalyst [65]500 family of switches). It is used on Cisco LAN switces to dynamically assign ports to VLANs according to Ethernet Address. Because it was developed solely on infomation obtained by observing the network traffic between switches it is probably not complete but it is a working subset of the protocol. More on VMPS you can find on www.cisco.com, search for VMPS.

URL

http://sourceforge.net/projects/vmps

Where is bug?

The bug exists in /vmpsd-1.3/log.c It's format string type vulnerability. Can be used to gain access localy or remotely.


void vmps_log(const int level, const char *fmt, ...) {

char    str[256];
va_list ap;

if ( ((log_level & 0xFF00) >= (level & 0xFF00)) &&
     ((level & log_level & 0x00FF) > 0) ) {

    va_start(ap, fmt);

    if ( !log_opened ) {
        openlog("vmpsd", LOG_CONS, LOG_LOCAL6);
        log_opened = 1;
    }
    vsnprintf(str, 256, fmt, ap);
    syslog(LOG_INFO, str); // here is the bug

Here is classical format string vulnerability. It's easy to exploit.

Credits?

Credits goes to mazahaquer http:// [at] mazahaquer ok h0nest [dot] org kz