*************************************************************************** Priv8 Security Research - #2004-001 security@priv8security.com http://www.priv8security.com Adriano Lima February 22nd, 2004 --------------------------------------------------------------------------- Package Name: LCDProc Vendor URL: http://lcdproc.omnipotent.net Date: 2004-02-22 ID: PSR-#2004-002 Affected Version: 0.4.1 and lower Risk: HIGH *************************************************************************** Package Description: LCDproc is a software that displays real-time system information from your Linux/*BSD box on a LCD. The server supports several serial devices: Matrix Orbital, Crystal Fontz, Bayrad, LB216, LCDM001 (kernelconcepts.de), Wirz-SLI, Cwlinux(.com) and PIC-an-LCD; and some devices connected to the LPT port: HD44780, STV5730, T6963, SED1520 and SED1330. Various clients that display things like CPU load, system load, memory usage, uptime, and a lot more, are available. Problem Description: Multiple bugs were found on LCDd server version 0.4.1 and lower that allow remote users to execute arbitrary code. Problem 1: Function parse_all_client_messages() on parse.c file. if (invalid) { // FIXME: Check for buffer overflows here... sprintf (errmsg, "huh? Invalid command \"%s\"\n", argv[0]); sock_send_string (c->sock, errmsg); } Sending an invalid long command, we overflow "errmsg" buffer, gaining control of the eip register. Obs: Look at the FIXME msg, I guess he forgot to check it. Problem 2: Function test_func_func() on client_functions.c. int test_func_func (client * c, int argc, char **argv) { int i; char str[256]; for (i = 0; i < argc; i++) { sprintf (str, "test_func_func: %i -> %s\n", i, argv[i]); printf (str); sock_send_string (c->sock, str); } return 0; } Sending a long argv on test_func command, will cause an overflow on "str" buffer. Problem 3: On same function above, it is possible to exploit a format string bug on print(str); Testing: See proof of concept code on http://www.priv8security.com/releases/lcdproc/priv8lcd.pl Solutions: It is recommended that all users upgrade to version 0.4.4 and install the follow patch coded by Rodrigo Rubira Branco: http://www.priv8security.com/releases/lcdproc/lcdproc.patch References: http://www.priv8security.com/releases/lcdproc/lcdproc.adv1 http://www.priv8security.com/releases/lcdproc/lcdproc.adv2 http://www.priv8security.com/releases/lcdproc/lcdproc.patch http://www.priv8security.com/releases/lcdproc/priv8lcd.pl ADDITIONAL INSTRUCTIONS: Apply this patch against the latest version of lcdproc. About Priv8 Security Research Group: Priv8 Security is a group of programmers and enthusiastic friends new and motivated the security area. Questions: If you have any questions, send a mail to security@priv8security.com Check out our mailing lists: The advisory itself is available at --------------------------------------------------------------------------- All advisories are signed with PRTT's GPG key. The key and instructions on how to import it can be found at http://www.priv8security.com Instructions on how to check the signatures of the packages can be found at http://www.priv8security.com --------------------------------------------------------------------------- All our advisories and generic update instructions can be viewed at http://www.priv8security.com --------------------------------------------------------------------------- Copyright (c) 2004 Priv8 Security http://www.priv8security.com --------------------------------------------------------------------------- subscribe: security@priv8security.com unsubscribe: security@priv8security.com