76665 2005-01-04 10:21 0000 www-client/dillo: format string vulnerability, arbritrary code execution likely. 2005-08-15 21:27:44 0000 1 Unclassified Gentoo Security Vulnerabilities unspecified All All RESOLVED FIXED http://dev.gentoo.org/~taviso/dillo.htm B2 [glsa] P2 normal --- 1 taviso@gentoo.org security@gentoo.org usata@gentoo.org taviso@gentoo.org 2005-01-04 10:21:51 0000 using dillo, visit the URL above, then look at the statusbar message. If you see a message like "Not Found: fa854ef32fa342" or similar, dillo interpreted the format string specifiers I sent it in the specially crafted html file. This could likely be used to execute arbritrary code simply by visiting an attackers website, or viewing an html email (some mua's use dillo for html rendering, i use with muttt when no plain text part is sent!). taviso@gentoo.org 2005-01-04 10:55:35 0000 btw, the responsible code is at interface.c:1061 here's some backtrace Breakpoint 1, a_Interface_msg (bw=0x80f4118, format=0x81c8570 "File Not Found: /%x%x%x") at interface.c:1061 (gdb) bt #0 a_Interface_msg (bw=0x80f4118, format=0x81c8570 "File Not Found: /%x%x%x") at interface.c:1061 #1 0x0805b7f1 in a_Capi_ccc (Op=2, Branch=2, Dir=1, Info=0x81cbc40, Data1=0x81c7df8, Data2=0x81c84b0) at capi.c:500 #2 0x0805bd2d in a_Chain_fcb (Op=2, Info=0x81cbd10, Data1=0x81c7df8, Data2=0x81c84b0) at chain.c:89 #3 0x080ac14e in Dpi_parse_token (conn=0x81cbc60) at dpi.c:263 #4 0x080ac35f in Dpi_process_io (Op=0, Data1=0x81cbd30, conn=0x81cbc60) at dpi.c:317 #5 0x080ad1e5 in a_Dpi_ccc (Op=2, Branch=3, Dir=1, Info=0x81cbd10, Data1=0x81cbd30, Data2=0x0) at dpi.c:703 #6 0x0805bd2d in a_Chain_fcb (Op=2, Info=0x81cbc00, Data1=0x81cbd30, Data2=0x0) at chain.c:89 #7 0x080ae696 in a_IO_ccc (Op=2, Branch=2, Dir=1, Info=0x81cbc00, Data1=0x81cbd30, Data2=0x0) at IO.c:691 #8 0x080adfc2 in IO_read (io=0x81cbd30) at IO.c:466 #9 0x080ae249 in IO_callback (src=0x81cbc28, cond=17, data=0x5) at IO.c:556 #10 0x4039c474 in g_io_add_watch () from /usr/lib/libglib-1.2.so.0 koon@gentoo.org 2005-01-04 11:33:48 0000 Tavis: I assume you find it, so I will temporarily set Component to Auditing so that the Audit team can verify it. Looks like a classic format string thing to me, but I didn't look at the code. taviso@gentoo.org 2005-01-04 14:05:22 0000 Okay, here are some of the details for whoever checks it out: vulnerable code: 1051 /* 1052 * Set the status string on the bottom of the dillo window. 1053 */ 1054 void a_Interface_msg(BrowserWindow *bw, const char *format, ... ) 1055 { 1056 static char msg[1024]; 1057 va_list argp; 1058 1059 if ( bw ) { 1060 va_start(argp, format); 1061 vsnprintf(msg, 1024, format, argp); 1062 va_end(argp); 1063 a_I18n_gtk_label_set_text(GTK_LABEL(bw->status), msg); 1064 bw->status_is_link = 0; 1065 } 1066 } Nothing wrong with this, but look at how it's called in capi.c: 498 } else if (strcmp(Data2, "send_status_message") == 0) { 499 gchar *Data1_enc = a_I18n_locale_to_DILLO_CHARSET(Data1); 500 a_Interface_msg(conn->dd->bw, Data1_enc); 501 g_free(Data1_enc); 502 } else if (strcmp(Data2, "chat") == 0) { where Data1_enc is unfiltered and can be controlled via the html, I've attached a patch that fixes this issue. I think this is a fairly textbook error, shouldnt cause any problems to an attacker. taviso@gentoo.org 2005-01-04 14:06:22 0000 Created an attachment (id=47645) fix format string bug actually, i can see there's another one in there as well, so I fixed that one as well :) koon@gentoo.org 2005-01-05 08:12:19 0000 This looks rather clear to me. Switching to vulnerability. taviso@gentoo.org 2005-01-05 08:41:41 0000 upstream informed (security@ cc'ed). taviso@gentoo.org 2005-01-06 05:05:52 0000 upstream maintainer has replied via email, the issue is now fixed in CVS and plans to make a release candidate later today for a planned full release before Jan 15th. koon@gentoo.org 2005-01-06 06:07:52 0000 This is CAN-2005-0012, public since it leaked from the Dillo Changelogs. usata: please bump to 0.8.3-r4 with patch, or to 0.8.4_rc1 if it's out (your choice). koon@gentoo.org 2005-01-07 05:40:21 0000 Tavis: usata is not available now, I think he won't matter if you commit the patch and/or the rc1 version on his behalf. taviso@gentoo.org 2005-01-07 05:59:30 0000 Okay, I'll bounce some of the info to usata and he can decide about -rc1, it's such a simple patch for 0.8.3 I don't expect any issues with it. taviso@gentoo.org 2005-01-07 06:48:11 0000 www-client/dillo-0.8.3-r4 contains the patch, already stable on x86. koon@gentoo.org 2005-01-07 07:41:27 0000 sparc ppc alpha amd64 arm: please test and mark stable kingtaco@gentoo.org 2005-01-07 18:52:30 0000 amd64 stable pylon@gentoo.org 2005-01-07 21:42:32 0000 ppc stable kloeri@gentoo.org 2005-01-08 13:06:07 0000 Stable on alpha. weeve@gentoo.org 2005-01-08 18:12:34 0000 Stable on sparc. koon@gentoo.org 2005-01-09 10:40:43 0000 Draft ready, security please review koon@gentoo.org 2005-01-09 14:11:32 0000 GLSA 200501-11 arm, please mark stable to benefit from GLSA usata@gentoo.org 2005-01-18 04:30:55 0000 Thanks taviso and koon. I didn't have time to look at it. I'll add dillo-0.8.4.ebuild to CVS asap. 47645 2005-01-04 14:06 0000 fix format string bug dillo-format-string-exploit.diff text/plain LS0tIHNyYy9jYXBpLmMub3JpZwkyMDA1LTAxLTA0IDIxOjU5OjUyLjIzOTI1MDI0MCArMDAwMAor Kysgc3JjL2NhcGkuYwkyMDA1LTAxLTA0IDIyOjAwOjM0LjgyODc3NTY0OCArMDAwMApAQCAtNDk3 LDExICs0OTcsMTEgQEAKIAogICAgICAgICAgICAgfSBlbHNlIGlmIChzdHJjbXAoRGF0YTIsICJz ZW5kX3N0YXR1c19tZXNzYWdlIikgPT0gMCkgewogCQkJICAgZ2NoYXIgKkRhdGExX2VuYyA9IGFf STE4bl9sb2NhbGVfdG9fRElMTE9fQ0hBUlNFVChEYXRhMSk7Ci0gICAgICAgICAgICAgICBhX0lu dGVyZmFjZV9tc2coY29ubi0+ZGQtPmJ3LCBEYXRhMV9lbmMpOworICAgICAgICAgICAgICAgYV9J bnRlcmZhY2VfbXNnKGNvbm4tPmRkLT5idywgIiVzIiwgRGF0YTFfZW5jKTsKIAkJCSAgIGdfZnJl ZShEYXRhMV9lbmMpOwogICAgICAgICAgICAgfSBlbHNlIGlmIChzdHJjbXAoRGF0YTIsICJjaGF0 IikgPT0gMCkgewogCQkJICAgZ2NoYXIgKkRhdGExX2VuYyA9IGFfSTE4bl9sb2NhbGVfdG9fRElM TE9fQ0hBUlNFVChEYXRhMSk7Ci0gICAgICAgICAgICAgICBhX0ludGVyZmFjZV9tc2coY29ubi0+ ZGQtPmJ3LCBEYXRhMSk7CisgICAgICAgICAgICAgICBhX0ludGVyZmFjZV9tc2coY29ubi0+ZGQt PmJ3LCAiJXMiLCBEYXRhMSk7CiAgICAgICAgICAgICAgICAgIGFfQm9va21hcmtzX2NoYXRfYWRk KE5VTEwsIE5VTEwsIERhdGExKTsKIAkJCSAgIGdfZnJlZShEYXRhMV9lbmMpOwogICAgICAgICAg ICAgfSBlbHNlIGlmIChzdHJjbXAoRGF0YTIsICJkaWFsb2ciKSA9PSAwKSB7Cg==