[Tripwire-dev] Re: Format String Vulnerability in Tripwire

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 454-5900

please remove me from these mailing lists


----- Original Message ----- 
From: "Paul Herman" <ph...@fr...>
To: <tri...@li...>
Cc: <ful...@li...>; <bu...@se...>
Sent: Thursday, June 03, 2004 12:41 AM
Subject: Format String Vulnerability in Tripwire


> SUMMARY
> -------
> Tripwire(tm) is a Security, Intrusion Detection, Damage Assessment
> and Recovery, Forensics software.
>
> A vulnerability in the product allows a user on the local machine
> under certain circumstances to execute arbitrary code with the
> rights of the user running the program (typically root).
>
>
> VERSIONS AFFECTED
> -----------------
> Tripwire commercial versions <= 2.4
> Tripwire open source versions <= 2.3.1
>
>
> DETAILS
> -------
> A format string vulnerability exists when tripwire generates an
> email report (i.e. 'tripwire -m c -M').  Each line of the report is
> passed to an fprintf() function in pipedmailmessage.cpp in the
> following manner:
>
> fprintf(mpFile, s.c_str() );
>
> If a local user were to create a file with a carefully crafted
> filename on the local system, that filename may be included in the
> report and passed to fprintf() (albeit from the heap.)  No exploit
> is known at this time, but the author of this advisory believes
> this vulnerability could be exploitable.
>
> Tripwire Inc. has been notified and has implemented a fix.
>
>
> IMPACT
> ------
> This vulnerability allows an attacker to execute arbitrary code
> with the rights of the user running the file check, which is
> typically root. The vulnerability exists only when tripwire is used
> to generate an email report.  Users who do not generate an email
> report are not affected by this vulnerability.
>
>
> WORKAROUND
> ----------
> Disable email reporting.  All users are advised to upgrade to a
> version which is not vulnerable.
>
>
> PATCH
> -----
> If you are using Open Source Tripwire(tm) version 2.3.1, the
> following patch will fix this particular issue:
>
> Index: src/tripwire/pipedmailmessage.cpp
> ===================================================================
> retrieving revision 1.1
> retrieving revision 1.2
> diff -u -r1.1 -r1.2
> --- src/tripwire/pipedmailmessage.cpp   21 Jan 2001 00:46:48 -0000
1.1
> +++ src/tripwire/pipedmailmessage.cpp   26 May 2004 20:59:15 -0000
1.2
> @@ -180,7 +180,7 @@
>
>  void cPipedMailMessage::SendString( const TSTRING& s )
>  {
> -    if( _ftprintf( mpFile, s.c_str() ) < 0 )
> +    if( _ftprintf( mpFile, "%s", s.c_str() ) < 0 )
>      {
>          TOSTRINGSTREAM estr;
>          estr << TSS_GetString( cTripwire,
tripwire::STR_ERR2_MAIL_MESSAGE_COMMAND )
>
>
> AUTHOR OF ADVISORY
> ------------------
> Paul Herman <ph...@fr...>
>
>
> ACKNOWLEDGEMENT
> ---------------
> I would like to thank Robert C. Jacobson <8dg...@sn...>
> for an initial bug report which led to me discovering this
> vulnerability.
>
>
> TRIPWIRE TRADEMARK NOTICE
> -------------------------
> The developer of the original code and/or files is Tripwire, Inc.
> Portions created by Tripwire, Inc. are copyright 2000 Tripwire,
> Inc. Tripwire is a registered trademark of Tripwire, Inc.  All
> rights reserved.
>
> Nothing in the GNU General Public License or any other license to
> use the code or files shall permit you to use Tripwire's
> trademarks, service marks, or other intellectual property without
> Tripwire's prior written consent in the form of a license agreement
> signed by an officer of Tripwire, Inc.
>
> If you have any questions, please contact Tripwire, Inc. at either
> in...@tr... or www.tripwire.org.