0day.today - Biggest Exploit Database in the World.
Things you should know about 0day.today:
Administration of this site uses the official contacts. Beware of impostors!
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!
Please, beware of scammers!
Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
mgetty 1.2.0 Buffer Overflow / Privilege Escalation Vulnerabilities
Author
Risk
[
Security Risk High
]0day-ID
Category
Date add
CVE
Platform
Multiple Vulnerabilities in mgetty ================================== Overview - -------- Confirmed Affected Versions: 1.2.0 Patched Versions: 1.2.1 Vendor: mgetty Vendor URL: http://mgetty.greenie.net Credit: X41 D-Sec GmbH, Eric Sesterhenn Status: Public Advisory-URL: https://www.x41-dsec.de/lab/advisories/x41-2018-007-mgetty Summary and Impact - ------------------ Multiple issues have been identified in the mgetty fax software. These might be used by local users to elevate their privileges. X41 did not perform a full test or audit on the software. Product Description - ------------------- - From the vendor: For those of you that do not know mgetty+sendfax yet: it's a reliable and proven fax send and receive solution for unix and Linux. But it can do much more... so read the docs and be surprised. Shell injection via faxq-helper =============================== Severity Rating: Medium Vector: Fax Job CVE: CVE-2018-16741 CWE: 78 CVSS Score: 6.1 CVSS Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N In fax/faxq-helper.c function do_activate(), not all characters are properly sanitized to prevent command injection. It is possible to use ||, && or > to change the control flow. {% highlight c %} /* replace all quote characters, backslash and ';' by '' */ for( q = buf; *q != '\0'; q++ ) { if ( *q == '\'' || *q == '"' || *q == '`' || *q == '\' || *q == ';' ) { *q = ''; } } {% endhighlight %} A job file containing malicious input can be constructed using faxq-helper activate <jobid>. One faxrunq is started, the code is executed as the user running the command. {% highlight bash %} /* replace all quote characters, backslash and ';' by '' */ # " ' \ $ ; command=tr -d '\042\047\140\134\044\073' <JOB | \ $AWK 'BEGIN { phone="-"; flags=""; pages="" } $1=="phone" { phone=$2 } $1=="header" { flags=flags" -h "$2 } $1=="poll" { flags=flags" -p" } $1=="normalres" { flags=flags" -n" } $1=="accthandle" { flags=flags" -A \""substr($0,13)"\"" } $1=="pages" { for( i=2; i<=NF; i++) pages=pages$i" " } END { printf "'"$FAXSENDER"' -v%s %s %s", \ flags, phone, pages }' -` execute faxsend command ======================= $echo "$command" eval $command {% endhighlight %} Stack Based Buffer Overflow With Long Username in contrib/next-login/login.c ============================================================================ Severity Rating: Low Vector: Command Line Parameter CVE: CVE-2018-16743 CWE: 121 CVSS Score: 2.9 CVSS Vector: CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N In file contrib/next-login/login.c the command line parameter username is passed unsanitized to strcpy(), which causes a stack based buffer overflow if too long. {% highlight c %} char tbuf[MAXPATHLEN + 2], tname[sizeof(PATHTTY) + 10]; ... if (*argv) { username = *argv; ask = 0; ... if (failures && strcmp(tbuf, username)) { if (failures > (pwd ? 0 : 1)) badlogin(tbuf); failures = 0; } (void)strcpy(tbuf, username); {% endhighlight %} Stack Based Buffer Overflow With Long Argument in contrib/scrts.c ================================================================= Severity Rating: Low Vector: Command Line Parameter CVE: CVE-2018-16742 CWE: 121 CVSS Score: 2.9 CVSS Vector: CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N In file contrib/scrts.c a stack buffer overflow can be triggered via command line parameter. {% highlight c %} int main( int argc, char ** argv ) { int i, fd; struct termios tio; char device[1000]; for ( i=1; i<argc; i++ ) { if ( strchr( argv[i], '/' ) == NULL ) sprintf( device, "/dev/%s", argv[i] ); else strcpy( device, argv[i] ); {% endhighlight %} Stack Based Buffer Overflow and Command injection in faxrec.c ============================================================= Severity Rating: Low Vector: Command Line Parameter CVE: CVE-2018-16744 (for command injection), CVE-2018-16745 (for overflow) CWE: 121 CVSS Score: 2.9 CVSS Vector: CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N In file faxrec.c function fax_notify_mail(), the mail_to parameter is not sanitized. It could allow for command injection or a buffer overflow if it is too long. If is called from facrec() which in turn is called from main() in mgetty.c. Since the notify_mail parameter is a configuration parameter, it should only be possible to set it from trusted source. If mgetty would be used with e.g. a webfront end, this might be abused for a privilege escalation. {% highlight c %} void faxnotifymail P3( (pagenum, ppagenum, mailto), int pagenum, int ppagenum, char * mailto ) { FILE * pipefp; char * filename, * p; char buf[256]; int r; timet ti; lprintf( LNOISE, "faxnotifymail: sending mail to: %s", mailto ); sprintf( buf, "%s %s >/dev/null 2>&1", MAILER, mailto ); pipefp = popen( buf, "w" ); {% endhighlight %} Endless loop in g3/g32pbm.c =========================== When converting g32 files using g3/g32pbm.c, an endless loop can be triggered by malformed input file. Example can be found at files/g32pmbinfiniteloop. Out Of Bounds Access in g3/pbm2g3.c =================================== When converting pbm files using g3/pbm2g3.c, out of bounds accesses can occur with malformed input files in putwhitespan(). An example can be found with files/pbm2g2oobaccess. {% highlight c %} putcode( twhite[l].bitcode, twhite[l].bitlength ); {% endhighlight %} Workaround - ---------- None. Timeline - -------- 2018-06-07 Issues found 2018-08-27 Issue reported to vendor 2018-08-28 Vendor reply 2018-09-08 Vendors sends patches 2018-09-08 CVE IDs requested 2018-09-09 CVE IDs assigned 2018-09-11 Patched Version released 2018-09-11 Advisory released # 0day.today [2024-12-26] #