lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
From: greuff at void.at (Thomas Wana)
Subject: void.at - neon format string bugs

[VSA0401 - neon - void.at security notice]

Overview
========

We have discovered a format string vulnerability in neon
(http://www.webdav.org/neon). neon is a webdav client
library, used by Subversion and others.

CVE has assigned the name CAN-2004-0179 to this issue.

Affected Versions
=================

This affects neon versions 0.19.0 onwards when ne_set_error
was changed from taking a single char* to taking printf-style
varargs.

Impact
======

Middle. Man-in-the-middle-attack or fake server needed. Note
that all clients using this library (such as Subversion) are
affected.

Workaround:
===========

neon 0.24.5 fixes the described problem. You can get it from
http://www.webdav.org/neon/neon-0.24.5.tar.gz.

Details
=======

grep for ne_set_error and see for yourself.
One particular bug is that if the response of the webserver
doesn't start with "HTTP", it is considered invalid and will
be logged via ne_set_error. You can supply %08x%08x etc there
and it will be executed by a libc format function.

webdav-requests always start with PROPFIND:

Request
-------

PROPFIND /lenya/blog/authoring/entries/2003/08/24/peanuts/ HTTP/1.1
Pragma: no-cache
Cache-control: no-cache
Accept: text/*, image/jpeg, image/png, image/*, */*
Accept-Encoding: x-gzip, gzip, identity
Accept-Charset: iso-8859-1, utf-8;q=0.5, *;q=0.5
Accept-Language: en
Host: 127.0.0.1
Depth: 0

Response
--------

HTTP/1.1 207 Multi-Status
X-Cocoon-Version: 2.1
Set-Cookie: JSESSIONID=320E3B1395B867B5BC42B5FC93457C36; Path=/lenya
Content-Type: text/xml
Transfer-Encoding: chunked
Date: Mon, 25 Aug 2003 14:27:12 GMT
Server: Apache Coyote/1.0


<?xml version="1.0" encoding="UTF-8"?>
<D:multistatus xmlns:D="DAV:">

<D:response xmlns:lp1="DAV:" xmlns:lp2="http://apache.org/dav/props/">
<D:href>/lenya/blog/authoring/entries/2003/08/24/peanuts/</D:href>
<D:propstat>
<D:prop>
<lp1:resourcetype><D:collection/></lp1:resourcetype>
<D:getcontenttype>httpd/unix-directory</D:getcontenttype>
</D:prop>
<D:status>HTTP/1.1 200 OK</D:status>
</D:propstat>
</D:response>

</D:multistatus>

The formatstring bug can be triggered with a response like:
...
<D:status>%08x%08x</D:status>
...

Timeline
========

2004-03-10: Bug discovered
2004-03-15: Contacted jorton@...hat.com (maintainer)
2004-03-16: Maintainer confirmation
2004-04-14: Maintainer released fixed version 0.24.5
2004-04-16: Public disclosure

Discovered by
=============

Thomas Wana <greuff@...d.at>

Credits
=======

void.at
Joe Orton (neon maintainer)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: signature
Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20040417/b9c6fabd/attachment.bin

Powered by blists - more mailing lists