[ authorization ] [ registration ] [ restore account ]
Contact us
You can contact us by:
0day Today Exploits Market and 0day Exploits Database

mgetty 1.2.0 Buffer Overflow / Privilege Escalation Vulnerabilities

Author
Eric Sesterhenn
Risk
[
Security Risk High
]
0day-ID
0day-ID-31142
Category
local exploits
Date add
21-09-2018
CVE
CVE-2018-16741
CVE-2018-16742
CVE-2018-16743
CVE-2018-16744
CVE-2018-16745
Platform
windows
Multiple Vulnerabilities in mgetty
==================================


Overview
- --------
Confirmed Affected Versions: 1.2.0
Patched Versions: 1.2.1
Vendor: mgetty
Vendor URL: http://mgetty.greenie.net
Credit: X41 D-Sec GmbH, Eric Sesterhenn
Status: Public
Advisory-URL: https://www.x41-dsec.de/lab/advisories/x41-2018-007-mgetty


Summary and Impact
- ------------------
Multiple issues have been identified in the mgetty fax software. These
might be used by local users to elevate their privileges.
X41 did not perform a full test or audit on the software.


Product Description
- -------------------
- From the vendor: For those of you that do not know mgetty+sendfax yet:
it's a reliable and proven fax send and receive solution for unix and
Linux. But it can do much more... so read the docs and be surprised.

Shell injection via faxq-helper
===============================
Severity Rating: Medium
Vector: Fax Job
CVE: CVE-2018-16741
CWE: 78
CVSS Score: 6.1
CVSS Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N
In fax/faxq-helper.c function do_activate(), not all characters are
properly sanitized to prevent command injection. It is possible to use
||, && or > to change the control flow.

{% highlight c %}
        /* replace all quote characters, backslash and ';' by '' */
        for( q = buf; *q != '\0'; q++ )
        {
            if ( *q == '\'' || *q == '"' || *q == '`' ||
                 *q == '\' || *q == ';' )
                                    { *q = ''; }
        }
{% endhighlight %}

A job file containing malicious input can be constructed using
faxq-helper activate <jobid>. One faxrunq is started, the code is
executed as the user running the command.

{% highlight bash %}
        /* replace all quote characters, backslash and ';' by '' */
    #               "   '    \    $   ;
    command=tr -d '\042\047\140\134\044\073' <JOB | \
             $AWK 'BEGIN { phone="-"; flags=""; pages="" }
                  $1=="phone" { phone=$2 }
                  $1=="header"     { flags=flags" -h "$2 }
                  $1=="poll"       { flags=flags" -p" }
                  $1=="normalres" { flags=flags" -n" }
                  $1=="accthandle" { flags=flags" -A
\""substr($0,13)"\"" }
                  $1=="pages" { for( i=2; i<=NF; i++) pages=pages$i" " }
                  END { printf "'"$FAXSENDER"' -v%s %s %s", \
                               flags, phone, pages }' -`


execute faxsend command
=======================
$echo "$command"

eval $command
{% endhighlight %}


Stack Based Buffer Overflow With Long Username in
contrib/next-login/login.c
============================================================================
Severity Rating: Low
Vector: Command Line Parameter
CVE: CVE-2018-16743
CWE: 121
CVSS Score: 2.9
CVSS Vector: CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N
In file contrib/next-login/login.c the command line parameter username
is passed unsanitized to strcpy(), which causes a stack based buffer
overflow if too long.

{% highlight c %}
        char tbuf[MAXPATHLEN + 2], tname[sizeof(PATHTTY) + 10];
...
        if (*argv) {
                username = *argv;
                ask = 0;
...
                if (failures && strcmp(tbuf, username)) {
                        if (failures > (pwd ? 0 : 1))
                                badlogin(tbuf);
                        failures = 0;
                }
                (void)strcpy(tbuf, username);
{% endhighlight %}


Stack Based Buffer Overflow With Long Argument in contrib/scrts.c
=================================================================
Severity Rating: Low
Vector: Command Line Parameter
CVE: CVE-2018-16742
CWE: 121
CVSS Score: 2.9
CVSS Vector: CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N
In file contrib/scrts.c a stack buffer overflow can be triggered via
command line parameter.

{% highlight c %}
int main( int argc, char ** argv )
{
int i, fd;
struct termios tio;
char device[1000];

for ( i=1; i<argc; i++ )

{

    if ( strchr( argv[i], '/' ) == NULL )

        sprintf( device, "/dev/%s", argv[i] );

    else

        strcpy( device, argv[i] );
{% endhighlight %}


Stack Based Buffer Overflow and Command injection in faxrec.c
=============================================================
Severity Rating: Low
Vector: Command Line Parameter
CVE: CVE-2018-16744 (for command injection), CVE-2018-16745 (for overflow)
CWE: 121
CVSS Score: 2.9
CVSS Vector: CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N
In file faxrec.c function fax_notify_mail(), the mail_to parameter is
not sanitized. It could allow for command injection or a buffer
overflow if it is too long. If is called from facrec() which in turn
is called from main() in mgetty.c. Since the notify_mail parameter is
a configuration parameter, it should only be possible to set it from
trusted source. If mgetty would be used with e.g. a webfront end, this
might be abused for a privilege escalation.

{% highlight c %}
void faxnotifymail P3( (pagenum, ppagenum, mailto),
                          int pagenum, int ppagenum, char * mailto )
{
FILE  * pipefp;
char  * filename, * p;
char    buf[256];
int     r;
timet  ti;
    lprintf( LNOISE, "faxnotifymail: sending mail to: %s", mailto );
    sprintf( buf, "%s %s >/dev/null 2>&1", MAILER, mailto );
    pipefp = popen( buf, "w" );
{% endhighlight %}


Endless loop in g3/g32pbm.c
===========================
When converting g32 files using g3/g32pbm.c, an endless loop can be
triggered by malformed input file. Example can be found at
files/g32pmbinfiniteloop.

Out Of Bounds Access in g3/pbm2g3.c
===================================
When converting pbm files using g3/pbm2g3.c, out of bounds accesses
can occur with malformed input files in putwhitespan(). An example can
be found with files/pbm2g2oobaccess.

{% highlight c %}
     putcode( twhite[l].bitcode, twhite[l].bitlength );
{% endhighlight %}


Workaround
- ----------
None.


Timeline
- --------
2018-06-07 Issues found
2018-08-27 Issue reported to vendor
2018-08-28 Vendor reply
2018-09-08 Vendors sends patches
2018-09-08 CVE IDs requested
2018-09-09 CVE IDs assigned
2018-09-11 Patched Version released
2018-09-11 Advisory released

#  0day.today [2024-12-26]  #