From: Bill P. <Bi...@pi...> - 2004-06-03 18:47:24
|
please remove me from these mailing lists ----- Original Message ----- From: "Paul Herman" <ph...@fr...> To: <tri...@li...> Cc: <ful...@li...>; <bu...@se...> Sent: Thursday, June 03, 2004 12:41 AM Subject: Format String Vulnerability in Tripwire > SUMMARY > ------- > Tripwire(tm) is a Security, Intrusion Detection, Damage Assessment > and Recovery, Forensics software. > > A vulnerability in the product allows a user on the local machine > under certain circumstances to execute arbitrary code with the > rights of the user running the program (typically root). > > > VERSIONS AFFECTED > ----------------- > Tripwire commercial versions <= 2.4 > Tripwire open source versions <= 2.3.1 > > > DETAILS > ------- > A format string vulnerability exists when tripwire generates an > email report (i.e. 'tripwire -m c -M'). Each line of the report is > passed to an fprintf() function in pipedmailmessage.cpp in the > following manner: > > fprintf(mpFile, s.c_str() ); > > If a local user were to create a file with a carefully crafted > filename on the local system, that filename may be included in the > report and passed to fprintf() (albeit from the heap.) No exploit > is known at this time, but the author of this advisory believes > this vulnerability could be exploitable. > > Tripwire Inc. has been notified and has implemented a fix. > > > IMPACT > ------ > This vulnerability allows an attacker to execute arbitrary code > with the rights of the user running the file check, which is > typically root. The vulnerability exists only when tripwire is used > to generate an email report. Users who do not generate an email > report are not affected by this vulnerability. > > > WORKAROUND > ---------- > Disable email reporting. All users are advised to upgrade to a > version which is not vulnerable. > > > PATCH > ----- > If you are using Open Source Tripwire(tm) version 2.3.1, the > following patch will fix this particular issue: > > Index: src/tripwire/pipedmailmessage.cpp > =================================================================== > retrieving revision 1.1 > retrieving revision 1.2 > diff -u -r1.1 -r1.2 > --- src/tripwire/pipedmailmessage.cpp 21 Jan 2001 00:46:48 -0000 1.1 > +++ src/tripwire/pipedmailmessage.cpp 26 May 2004 20:59:15 -0000 1.2 > @@ -180,7 +180,7 @@ > > void cPipedMailMessage::SendString( const TSTRING& s ) > { > - if( _ftprintf( mpFile, s.c_str() ) < 0 ) > + if( _ftprintf( mpFile, "%s", s.c_str() ) < 0 ) > { > TOSTRINGSTREAM estr; > estr << TSS_GetString( cTripwire, tripwire::STR_ERR2_MAIL_MESSAGE_COMMAND ) > > > AUTHOR OF ADVISORY > ------------------ > Paul Herman <ph...@fr...> > > > ACKNOWLEDGEMENT > --------------- > I would like to thank Robert C. Jacobson <8dg...@sn...> > for an initial bug report which led to me discovering this > vulnerability. > > > TRIPWIRE TRADEMARK NOTICE > ------------------------- > The developer of the original code and/or files is Tripwire, Inc. > Portions created by Tripwire, Inc. are copyright 2000 Tripwire, > Inc. Tripwire is a registered trademark of Tripwire, Inc. All > rights reserved. > > Nothing in the GNU General Public License or any other license to > use the code or files shall permit you to use Tripwire's > trademarks, service marks, or other intellectual property without > Tripwire's prior written consent in the form of a license agreement > signed by an officer of Tripwire, Inc. > > If you have any questions, please contact Tripwire, Inc. at either > in...@tr... or www.tripwire.org. |