<<< Date Index >>>     <<< Thread Index >>>

PSR - #2004-002 Remote - LCDProc




***************************************************************************
 Priv8 Security Research - #2004-001              security@xxxxxxxxxxxxxxxxx
 http://www.priv8security.com                     Adriano Lima
 February 22nd, 2004
---------------------------------------------------------------------------

Package Name: LCDProc
Vendor URL:  http://lcdproc.omnipotent.net
Date:  2004-02-22
ID:  PSR-#2004-002
Affected Version: 0.4.1 and lower
Risk: HIGH

***************************************************************************

Package Description:

LCDproc is a software that displays real-time system information from your 
Linux/*BSD box on a LCD. The server supports several serial devices: Matrix 
Orbital, Crystal Fontz, Bayrad, LB216, LCDM001 (kernelconcepts.de), Wirz-SLI, 
Cwlinux(.com) and PIC-an-LCD; and some devices connected to the LPT port: 
HD44780, STV5730, T6963, SED1520 and SED1330. Various clients  that display 
things like CPU load, system load, memory usage, uptime, and a lot more, are 
available.

Problem Description:

Multiple bugs were found on LCDd server version 0.4.1 and lower that allow 
remote users to execute arbitrary code.

Problem 1:
Function parse_all_client_messages() on parse.c file.

        if (invalid) {
                // FIXME:  Check for buffer overflows here...
                sprintf (errmsg, "huh? Invalid command \"%s\"\n", argv[0]);
                sock_send_string (c->sock, errmsg);
        }
        
Sending an invalid long command, we overflow "errmsg" buffer, gaining control 
of the eip register.
Obs: Look at the FIXME msg, I guess he forgot to check it.

Problem 2:
Function test_func_func() on client_functions.c.

        int
        test_func_func (client * c, int argc, char **argv)
        {
                int i;
                char str[256];

                for (i = 0; i < argc; i++) {
                        sprintf (str, "test_func_func:  %i -> %s\n", i, 
argv[i]);
                        printf (str);
                        sock_send_string (c->sock, str);
                }
                return 0;
        }

Sending a long argv on test_func command, will cause an overflow on "str" 
buffer.

Problem 3:
On same function above, it is possible to exploit a format string bug on 
print(str);


Testing:

See proof of concept code on 
http://www.priv8security.com/releases/lcdproc/priv8lcd.pl

Solutions:

        It is recommended that all users upgrade to version 0.4.4 and install 
the follow patch coded by Rodrigo Rubira Branco:
        http://www.priv8security.com/releases/lcdproc/lcdproc.patch


References:
        http://www.priv8security.com/releases/lcdproc/lcdproc.adv1
        http://www.priv8security.com/releases/lcdproc/lcdproc.adv2
        http://www.priv8security.com/releases/lcdproc/lcdproc.patch
        http://www.priv8security.com/releases/lcdproc/priv8lcd.pl
        
ADDITIONAL INSTRUCTIONS:
        Apply this patch against the latest version of lcdproc.


About Priv8 Security Research Group:
        Priv8 Security is a group of programmers and enthusiastic friends
new and motivated the security area.


Questions:
        If you have any questions, send a mail to security@xxxxxxxxxxxxxxxxx

  Check out our mailing lists:
  <http://www.priv8security.com>


  The advisory itself is available at
  <http://www.priv8security.com/releases/lcdproc/lcdproc.adv2>


---------------------------------------------------------------------------
All advisories are signed with PRTT's GPG key. The key and instructions
on how to import it can be found at
http://www.priv8security.com
Instructions on how to check the signatures of the packages can be
found at http://www.priv8security.com

---------------------------------------------------------------------------
All our advisories and generic update instructions can be viewed at
http://www.priv8security.com

---------------------------------------------------------------------------
Copyright (c) 2004 Priv8 Security
http://www.priv8security.com

---------------------------------------------------------------------------
subscribe: security@xxxxxxxxxxxxxxxxx
unsubscribe: security@xxxxxxxxxxxxxxxxx