mgetty 1.2.0 Buffer Overflow / Privilege Escalation

Topic created · 1 Posts · 0 Views
  • mgetty version 1.2.0 suffers from buffer overflow, code execution, and various other privilege escalation related vulnerabilities.
    MD5 | efa03dfc830f599a7cbecef8831e2779

    Hash: SHA256  
    X41 D-Sec GmbH Security Advisory: X41-2018-007  
    Multiple Vulnerabilities in mgetty  
    - --------  
    Confirmed Affected Versions: 1.2.0  
    Patched Versions: 1.2.1  
    Vendor: mgetty  
    Vendor URL:  
    Credit: X41 D-Sec GmbH, Eric Sesterhenn  
    Status: Public  
    Summary and Impact  
    - ------------------  
    Multiple issues have been identified in the mgetty fax software. These  
    might be used by local users to elevate their privileges.  
    X41 did not perform a full test or audit on the software.  
    Product Description  
    - -------------------  
    - From the vendor: For those of you that do not know mgetty+sendfax yet:  
    it's a reliable and proven fax send and receive solution for unix and  
    Linux. But it can do much more... so read the docs and be surprised.  
    Shell injection via faxq-helper  
    Severity Rating: Medium  
    Vector: Fax Job  
    CVE: CVE-2018-16741  
    CWE: 78  
    CVSS Score: 6.1  
    CVSS Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N  
    In fax/faxq-helper.c function do_activate(), not all characters are  
    properly sanitized to prevent command injection. It is possible to use  
    ||, && or > to change the control flow.  
    {% highlight c %}  
    /* replace all quote characters, backslash and ';' by '' */  
    for( q = buf; *q != '\0'; q++ )  
    if ( *q == '\'' || *q == '"' || *q == '`' ||  
    *q == '\' || *q == ';' )  
    { *q = ''; }  
    {% endhighlight %}  
    A job file containing malicious input can be constructed using  
    faxq-helper activate <jobid>. One faxrunq is started, the code is  
    executed as the user running the command.  
    {% highlight bash %}  
    /* replace all quote characters, backslash and ';' by '' */  
    #               "   '    \    $   ;  
    command=tr -d '\042\047\140\134\044\073' <JOB | \  
    $AWK 'BEGIN { phone="-"; flags=""; pages="" }  
    $1=="phone" { phone=$2 }  
    $1=="header"     { flags=flags" -h "$2 }  
    $1=="poll"       { flags=flags" -p" }  
    $1=="normalres" { flags=flags" -n" }  
    $1=="accthandle" { flags=flags" -A  
    \""substr($0,13)"\"" }  
    $1=="pages" { for( i=2; i<=NF; i++) pages=pages$i" " }  
    END { printf "'"$FAXSENDER"' -v%s %s %s", \  
    flags, phone, pages }' -`  
    execute faxsend command  
    $echo "$command"  
    eval $command  
    {% endhighlight %}  
    Stack Based Buffer Overflow With Long Username in  
    Severity Rating: Low  
    Vector: Command Line Parameter  
    CVE: CVE-2018-16743  
    CWE: 121  
    CVSS Score: 2.9  
    CVSS Vector: CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N  
    In file contrib/next-login/login.c the command line parameter username  
    is passed unsanitized to strcpy(), which causes a stack based buffer  
    overflow if too long.  
    {% highlight c %}  
    char tbuf[MAXPATHLEN + 2], tname[sizeof(PATHTTY) + 10];  
    if (*argv) {  
    username = *argv;  
    ask = 0;  
    if (failures && strcmp(tbuf, username)) {  
    if (failures > (pwd ? 0 : 1))  
    failures = 0;  
    (void)strcpy(tbuf, username);  
    {% endhighlight %}  
    Stack Based Buffer Overflow With Long Argument in contrib/scrts.c  
    Severity Rating: Low  
    Vector: Command Line Parameter  
    CVE: CVE-2018-16742  
    CWE: 121  
    CVSS Score: 2.9  
    CVSS Vector: CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N  
    In file contrib/scrts.c a stack buffer overflow can be triggered via  
    command line parameter.  
    {% highlight c %}  
    int main( int argc, char ** argv )  
    int i, fd;  
    struct termios tio;  
    char device[1000];  
    for ( i=1; i<argc; i++ )  
    if ( strchr( argv[i], '/' ) == NULL )  
    sprintf( device, "/dev/%s", argv[i] );  
    strcpy( device, argv[i] );  
    {% endhighlight %}  
    Stack Based Buffer Overflow and Command injection in faxrec.c  
    Severity Rating: Low  
    Vector: Command Line Parameter  
    CVE: CVE-2018-16744 (for command injection), CVE-2018-16745 (for overflow)  
    CWE: 121  
    CVSS Score: 2.9  
    CVSS Vector: CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N  
    In file faxrec.c function fax_notify_mail(), the mail_to parameter is  
    not sanitized. It could allow for command injection or a buffer  
    overflow if it is too long. If is called from facrec() which in turn  
    is called from main() in mgetty.c. Since the notify_mail parameter is  
    a configuration parameter, it should only be possible to set it from  
    trusted source. If mgetty would be used with e.g. a webfront end, this  
    might be abused for a privilege escalation.  
    {% highlight c %}  
    void faxnotifymail P3( (pagenum, ppagenum, mailto),  
    int pagenum, int ppagenum, char * mailto )  
    FILE  * pipefp;  
    char  * filename, * p;  
    char    buf[256];  
    int     r;  
    timet  ti;  
    lprintf( LNOISE, "faxnotifymail: sending mail to: %s", mailto );  
    sprintf( buf, "%s %s >/dev/null 2>&1", MAILER, mailto );  
    pipefp = popen( buf, "w" );  
    {% endhighlight %}  
    Endless loop in g3/g32pbm.c  
    When converting g32 files using g3/g32pbm.c, an endless loop can be  
    triggered by malformed input file. Example can be found at  
    Out Of Bounds Access in g3/pbm2g3.c  
    When converting pbm files using g3/pbm2g3.c, out of bounds accesses  
    can occur with malformed input files in putwhitespan(). An example can  
    be found with files/pbm2g2oobaccess.  
    {% highlight c %}  
    putcode( twhite[l].bitcode, twhite[l].bitlength );  
    {% endhighlight %}  
    - ----------  
    - --------  
    2018-06-07 Issues found  
    2018-08-27 Issue reported to vendor  
    2018-08-28 Vendor reply  
    2018-09-08 Vendors sends patches  
    2018-09-08 CVE IDs requested  
    2018-09-09 CVE IDs assigned  
    2018-09-11 Patched Version released  
    2018-09-11 Advisory released  
    About X41 D-SEC GmbH  
    X41 is an expert provider for application security services.  
    Having extensive industry experience and expertise in the area of  
    information security, a strong core security team of world class  
    security experts enables X41 to perform premium security services.  
    Fields of expertise in the area of application security are security  
    centered code reviews, binary reverse engineering and vulnerability  
    Custom research and a IT security consulting and support services are  
    core competencies of X41.  
    - --   
    X41 D-SEC GmbH, Dennewartstr. 25-27, D-52068 Aachen  
    T: +49 241 9809418-0, Fax: -9  
    Unternehmenssitz: Aachen, Amtsgericht Aachen: HRB19989  
    GeschA$?ftsfA1/4hrer: Markus Vervier  
    -----BEGIN PGP SIGNATURE-----  
    -----END PGP SIGNATURE-----  


Log in to reply