‘Remote Format String Vulnerability in Tanne’

Summary

Tanne is a small, secure session-management solution for HTTP. It replaces common sessions with a system consisting of PIN and TANs, well known from online banking. Its main purpose is to enable programmers of Web applications to have really secured sessions without cookies or session-ids. A vulnerability in the product allows remote attackers to cause the program to execute arbitrary code, by exploiting a format string vulnerability.’

Credit:

‘The information has been provided by dong-h0un yoU.’


Details

Vulnerable systems:
 * Tanne version 0.6.17

Vulnerable code:
There is logger() function to 29 lines of ‘netzio.c’ code.

    __
    59          else
    60          {
    61                  va_start( args, str );
    62                  vsnprintf( txt, 511, str, args );
    63                  va_end( args );
    64                  openlog( ‘Tanne2’, LOG_PID, LOG_DAEMON );
    65                  syslog( LOG_INFO, txt ); // Here.
    66                  closelog();
    67          }
    68          umask( NORMALE_UMASK );
    69  #else
    70          va_start( args, str );
    71          vsnprintf( txt, 511, str, args );
    72          va_end( args );
    73          openlog( ‘Tanne2’, LOG_PID, LOG_DAEMON );
    74          syslog( LOG_INFO, txt ); // Here.
    75          closelog();
    76  #endif
    77  }
    —

Patch:
— netzio.c Wed Jul 25 22:17:29 2001
+++ netzio.patch.c Sun Jan 5 11:18:31 2003
@@ -62,7 +62,7 @@
  vsnprintf( txt, 511, str, args );
  va_end( args );
  openlog( ‘Tanne2’, LOG_PID, LOG_DAEMON );
– syslog( LOG_INFO, txt );
+ syslog( LOG_INFO, ‘%s’, txt );
  closelog();
  }
  umask( NORMALE_UMASK );
@@ -71,7 +71,7 @@
  vsnprintf( txt, 511, str, args );
  va_end( args );
  openlog( ‘Tanne2’, LOG_PID, LOG_DAEMON );
– syslog( LOG_INFO, txt );
+ syslog( LOG_INFO, ‘%s’, txt );
  closelog();
 #endif
 }’

Categories: UNIX