Debian Bug report logs - #392016
elog: Needs a security audit

version graph

Package: elog; Maintainer for elog is (unknown);

Reported by: Moritz Muehlenhoff <jmm@debian.org>

Date: Mon, 9 Oct 2006 20:33:03 UTC

Severity: grave

Tags: patch, security

Fixed in version 2.6.3+r1764-1.1+rm

Done: Raphael Geissert <atomo64@gmail.com>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Debian Security Team <team@security.debian.org>, Recai Oktaş <roktas@debian.org>:
Bug#392016; Package elog. (full text, mbox, link).


Acknowledgement sent to Moritz Muehlenhoff <jmm@debian.org>:
New Bug report received and forwarded. Copy sent to Debian Security Team <team@security.debian.org>, Recai Oktaş <roktas@debian.org>. (full text, mbox, link).


Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Moritz Muehlenhoff <jmm@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Cc: debian-audit@shellcode.org
Subject: elog: Needs a security audit
Date: Mon, 09 Oct 2006 19:48:02 +0200
Package: elog
Severity: grave
Tags: security
Justification: user security hole

In #389361 a complete lack of web script sanitising for logbook entries
was discovered and DSA-967 already fixed lots of vulnerabilities.

AFAICT Debian is the only distribution including elog, which seems
to have received relatively few external review. I guess it should
only be included in Etch after an audit by the debian-audit people.

Audit people, do you think you can review it before Etch?

Cheers,
        Moritz

-- System Information:
Debian Release: testing/unstable
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.18-1-686
Locale: LANG=C, LC_CTYPE=de_DE.ISO-8859-15@euro (charmap=ISO-8859-15)



Information forwarded to debian-bugs-dist@lists.debian.org, Recai Oktaş <roktas@debian.org>:
Bug#392016; Package elog. (full text, mbox, link).


Acknowledgement sent to "Ulf Harnhammar" <metaur@operamail.com>:
Extra info received and forwarded to list. Copy sent to Recai Oktaş <roktas@debian.org>. (full text, mbox, link).


Message #10 received at 392016@bugs.debian.org (full text, mbox, reply):

From: "Ulf Harnhammar" <metaur@operamail.com>
To: 392016@bugs.debian.org
Subject: Perhaps
Date: Wed, 18 Oct 2006 16:31:34 +0100
I'll see what I can do.

// Ulf


-- 
_______________________________________________
Surf the Web in a faster, safer and easier way:
Download Opera 9 at http://www.opera.com

Powered by Outblaze



Information forwarded to debian-bugs-dist@lists.debian.org, Recai Oktaş <roktas@debian.org>:
Bug#392016; Package elog. (full text, mbox, link).


Acknowledgement sent to "Ulf Harnhammar" <metaur@operamail.com>:
Extra info received and forwarded to list. Copy sent to Recai Oktaş <roktas@debian.org>. (full text, mbox, link).


Message #15 received at 392016@bugs.debian.org (full text, mbox, reply):

From: "Ulf Harnhammar" <metaur@operamail.com>
To: 392016@bugs.debian.org
Cc: Stefan.Ritt@psi.ch
Subject: ELOG security audit
Date: Tue, 31 Oct 2006 23:21:10 +0100
[Message part 1 (text/plain, inline)]
Hello,

I have performed a security audit of ELOG and here is what I found:


1) There are some incorrect handling of *printf() calls and format
strings. They lead to ELOG crashing completely, with the potential
of executing arbitrary machine code programs, when a user uploads
and submits as the first attachment in an entry a file called
"%n%n%n%n" - or similar - which must not be empty.

The attached patch fixes this in two places and many other format
string problems just to be sure.


2) There is a Cross-site Scripting issue when requesting correctly
named but non-existant files for downloading, like with this URL:

http://localhost:8080/demo/123456_789012/%3Cscript%3Ealert(%22XSS%22)%3C/script%3E

The attached patch corrects this by quoting the dangerous characters.


3) There are also Cross-site Scripting issues when creating new
entries with New. If a document sends data to ELOG where the
fields Type and Category contain invalid entries with HTML code,
the resulting error document will print the Type or Category data
as-is with no quoting.

The attached patch corrects this minor problem as well.


I have verified that all three problems exist in Debian unstable,
as well as in the upstream ELOG-2.6.2 version. I haven't checked
any other versions (but the upstream SVN trunk looks like it also
has these bugs).


// Ulf Harnhammar, Debian Security Audit Project
   http://www.debian.org/security/audit/



-- 
_______________________________________________
Surf the Web in a faster, safer and easier way:
Download Opera 9 at http://www.opera.com

Powered by Outblaze
[elog.security.patch (application/octet-stream, attachment)]

Information forwarded to debian-bugs-dist@lists.debian.org, Recai Oktaş <roktas@debian.org>:
Bug#392016; Package elog. (full text, mbox, link).


Acknowledgement sent to metaur@telia.com:
Extra info received and forwarded to list. Copy sent to Recai Oktaş <roktas@debian.org>. (full text, mbox, link).


Message #20 received at 392016@bugs.debian.org (full text, mbox, reply):

From: Ulf Harnhammar <metaur@telia.com>
To: 392016@bugs.debian.org
Cc: team@security.debian.org
Subject: elog in stable is also vulnerable
Date: Wed, 8 Nov 2006 23:14:16 +0100
I've just verified that elog in stable is vulnerable to
all issues mentioned in bug #392016.

// Ulf



Tags added: patch Request was from Ulf Harnhammar <metaur@telia.com> to control@bugs.debian.org. (full text, mbox, link).


Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#392016; Package elog. (full text, mbox, link).


Acknowledgement sent to Recai Oktaş <roktas@debian.org>:
Extra info received and forwarded to list. (full text, mbox, link).


Message #27 received at 392016@bugs.debian.org (full text, mbox, reply):

From: Recai Oktaş <roktas@debian.org>
To: metaur@telia.com, 392016@bugs.debian.org
Cc: team@security.debian.org
Subject: Re: Bug#392016: elog in stable is also vulnerable
Date: Thu, 9 Nov 2006 12:13:02 +0200
[Message part 1 (text/plain, inline)]
* Ulf Harnhammar [2006-11-08 23:14:16+0100]
> I've just verified that elog in stable is vulnerable to
> all issues mentioned in bug #392016.

Thank you very much for looking into this!  I've got another report
attached below.  I'll look into this problem also and will keep this bug
report open as I think elog should not enter to Etch due to all potential
security issues which increase the work-load on our security team during
the stable release cycle.

---------------------------------->8---------------------------------------
FYI

Hi,
We are working with Mr. Stefan Ritt on this issue and waiting for the fix.

Thanks,
OS2A


Forwarded Conversation
Subject: ELOG Web Logbook Remote Denial of Service Vulnerability
------------------------

 From: OS2A BTO <os2a.bto@gmail.com>
To: stefan.ritt@psi.ch
Date: Wed, Nov 8, 2006 at 6:12 PM
Attachments: os2a_1008.txt

Hi,
We recently came across a Denial of Service vulnerability in ELOG's
elogd server which allows attackers to crash the service, thereby preventing
legitimate access.

Attached is our security advisory which describes the vulnerability in detail.

Please let us know the time you might require to fix this issue.
And also let us know if you have any questions.

A quick and positive response from your side would be highly appreciated.

Thanks,
OS2A Team.


--------
 From: Stefan Ritt <stefan.ritt@psi.ch>
To: OS2A BTO <os2a.bto@gmail.com>
Date: Wed, Nov 8, 2006 at 6:31 PM

Dear OS2A team,

thank you for reporting this vulnerability and for the detailed
analysis, I really appreciate. I fixed this problem and just released
version 2.6.2-7 (SVN revision 1746).

Best regards,

   Stefan Ritt

--
Dr. Stefan Ritt           Phone: +41 56 310 3728
Paul Scherrer Institute   FAX: +41 56 310 2199
OLGA/021                  mailto:stefan.ritt@psi.ch
CH-5232 Villigen PSI      http://midas.psi.ch/~stefan
[Quoted text hidden]>
------------------------------------------------------------------------
>
> ELOG Web Logbook Remote Denial of Service Vulnerability
>
>
> OS2A ID: OS2A_1008                    Status:
>                                       10/31/2006      Issue Discovered
>                                       11/08/2006      Reported to the Vendor
>                                       --              Fixed by Vendor
>                                       --              Advisory Released
>
>
> Class: Denial of Service              Severity: Medium
>
>
> Overview:
> ---------
> The Electronic Logbook (ELOG) is part of a family of applications known as
> weblogs. ELOG is a remarkable implementation of a weblog in its simplicity of
> use and versatility.
> http://midas.psi.ch/elog/index.html
>
> Description:
> ------------
> Remote exploitation of a denial of service vulnerability in ELOG's
> elogd server allows attackers to crash the service, thereby preventing
> legitimate access.
>
> The [global]  section in configuration file elogd.cfg is used for settings
> common to all logbooks. The vulnerability is due to improper handling of an
> HTTP GET request if logbook name 'global' (or any logbook name prefixed
> with global) is used in the request. When such a request is received,
> a NULL pointer dereference occurs, leading to a crash of the service.
>
> Only authenticated users can exploit this vulnerability if the application
> is configured with password.
>
> Impact:
> -------
> Successful exploitation allows a remote attacker to crash the elogd server.
>
> Affected Software(s):
> ---------------------
> ELOG 2.6.2 and prior.
>
> Proof of Concept:
> -----------------
> The HTTP GET request given below is sufficient to crash affected server:
> http://www.example.com/global/
>
> Analysis:
> -----------
> #gdb ./elogd
> ...
> ...
>
> (gdb) break show_elog_list
> Breakpoint 2 at 0x809d6e0
>
> (gdb) c
> Continuing.
> (no debugging symbols found)
> elogd 2.6.2 built Nov  8 2006, 01:25:48 revision 1699
> Falling back to default group "elog"
> Falling back to default user "elog"
> Indexing logbooks ... done
> Server listening on port 8080 ...
>
> Breakpoint 2, 0x0809d6e0 in show_elog_list ()
> (gdb) c
> Continuing.
>
> Program received signal SIGSEGV, Segmentation fault.
> 0x0809eb7a in show_elog_list ()
>
> (gdb) bt
> #0  0x0809eb7a in show_elog_list ()
> #1  0x00000000 in ?? ()
>
> (gdb) i r
> eax            0x0      0
> ecx            0x9d43d88        164904328
> edx            0x0      0
> ebx            0x0      0
> esp            0xbfa8aca0       0xbfa8aca0
> ebp            0x80df40c        0x80df40c
> esi            0xbfb27050       -1078824880
> edi            0x0      0
> eip            0x809eb7a        0x809eb7a
> eflags         0x200246 2097734
> cs             0x73     115
> ss             0x7b     123
> ds             0x7b     123
> es             0x7b     123
> fs             0x0      0
> gs             0x33     51
>
> (gdb) x/i $eip
> 0x809eb7a <show_elog_list+5274>:        mov    (%eax),%eax
>
> The vulnerable code is at Line:16774 of elogd.c,
> n_msg = *lbs->n_el_index;
> where the pointer lbs is dereferenced before being null checked.
>
> --- elogd.c, Line:16772 -----
>
> } else {
>       n_logbook = 1;
>       n_msg = *lbs->n_el_index;
>    }
>
>    msg_list = xmalloc(sizeof(MSG_LIST) * n_msg);
>
> ---elogd.c, Line:16778 -----
>
>
> CVSS Score Report:
> -----------------
>     ACCESS_VECTOR          = REMOTE
>     ACCESS_COMPLEXITY      = LOW
>     AUTHENTICATION         = NOT_REQUIRED
>     CONFIDENTIALITY_IMPACT = NONE
>     INTEGRITY_IMPACT       = NONE
>     AVAILABILITY_IMPACT    = COMPLETE
>     IMPACT_BIAS            = AVAILABILITY
>     EXPLOITABILITY         = FUNCTIONAL
>     REMEDIATION_LEVEL      = WORKAROUND
>     REPORT_CONFIDENCE      = CONFIRMED
>     CVSS Base Score        = 5.0 (AV:R/AC:L/Au:NR/C:N/I:N/A:C/B:A)
>     CVSS Temporal Score    = 4.5
>     Risk factor            = Medium
>
>
> Vendor Response:
> ---------------
>
>
>
> Solution:
> ---------
> Before using the pointer, ensure that it is not equal to NULL.
> eg:
>
> if(!lbs->n_el_index) {
>     /* handle the null pointer dereference condition here */
> }
>
> Credits:
> -------
> Jayesh KS and Arun Kethipelly of OS2A have been credited with the discovery and
> analysis of this vulnerability.
>


--------
 From: OS2A BTO <os2a.bto@gmail.com>
To: Stefan Ritt <stefan.ritt@psi.ch>
Date: Wed, Nov 8, 2006 at 7:27 PM

Dear Stefan Ritt,
Thanks for the quick response.
We tested the fix you provided and still seems to be having the problem.
We created another logbook named 'global', after the logbook 'demo',
in the configuration file elogd.cfg and tried accessing the server
with http://elogsite:8080/global/.

Its giving segmentation fault.

This is the configuration file we used:

------elogd.cfg------------
[global]
port = 8080

[demo]
Theme = default
Comment = General linux tips & tricks
Attributes = Author, Type, Category, Subject
Options Type = Routine, Software Installation, Problem Fixed,
Configuration, Other
Options Category = General, Hardware, Software, Network, Other
Extendable Options = Category
Required Attributes = Author, Type
Page Title = ELOG - $subject
Reverse sort = 1
Quick filter = Date, Type

[global]
Theme = default
Comment = General linux tips & tricks
Attributes = Author, Type, Category, Subject
Options Type = Routine, Software Installation, Problem Fixed,
Configuration, Other
Options Category = General, Hardware, Software, Network, Other
Extendable Options = Category
Required Attributes = Author, Type
Page Title = ELOG - $subject
Reverse sort = 1
Quick filter = Date, Type
-------------elogd.cfg---------------------


Thanks,
OS2A
[Quoted text hidden]
--------
 From: Stefan Ritt <stefan.ritt@psi.ch>
To: OS2A BTO <os2a.bto@gmail.com>
Date: Wed, Nov 8, 2006 at 7:39 PM

Can you try again? I just updated 2.6.2-7, it's now SVN revision 1747.
Having a [global] section plus a [global] logbook is a severe
misconfiguration, so I did not try that combination before. But now it
should be fixed.

- Stefan
[Quoted text hidden]
--------
 From: OS2A BTO <os2a.bto@gmail.com>
To: Stefan Ritt <stefan.ritt@psi.ch>
Date: Wed, Nov 8, 2006 at 7:54 PM

Hi,

If we create any other directory prefixed with global in configuration
file, and try the same in URL, it again crashes.
I created a logbook names 'global__'  in elogd.cfg and tried to access
http://192.168.3.5:8080/global__/
it crashed again.

---------------------------------->8---------------------------------------

-- 
roktas
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Recai Oktaş <roktas@debian.org>:
Bug#392016; Package elog. (full text, mbox, link).


Acknowledgement sent to "OS2A BTO" <os2a.bto@gmail.com>:
Extra info received and forwarded to list. Copy sent to Recai Oktaş <roktas@debian.org>. (full text, mbox, link).


Message #32 received at 392016@bugs.debian.org (full text, mbox, reply):

From: "OS2A BTO" <os2a.bto@gmail.com>
To: 392016@bugs.debian.org
Subject: ELOG Web Logbook Remote Denial of Service Vulnerability
Date: Sat, 11 Nov 2006 21:42:18 +0530
[Message part 1 (text/plain, inline)]
Details of the vulnerability is described in the advisory
(os2a_1008.txt) attached with this mail.

Thanks,
OS2A
[os2a_1008.txt (text/plain, attachment)]

Information forwarded to debian-bugs-dist@lists.debian.org, Recai Oktaş <roktas@debian.org>:
Bug#392016; Package elog. (full text, mbox, link).


Acknowledgement sent to metaur@telia.com:
Extra info received and forwarded to list. Copy sent to Recai Oktaş <roktas@debian.org>. (full text, mbox, link).


Message #37 received at 392016@bugs.debian.org (full text, mbox, reply):

From: Ulf Harnhammar <metaur@telia.com>
To: 392016@bugs.debian.org
Cc: Stefan.Ritt@psi.ch
Subject: Further security patching of ELOG
Date: Sat, 2 Dec 2006 20:54:28 +0100
[Message part 1 (text/plain, inline)]
Hello,

while browsing the ELOG entries at Secunia, I saw that my
security bugs in ELOG were only marked as partially fixed.
After some investigation, I found out that one more patch
was needed to close the XSS bug when handling Categories
(more specifically, when Adding a new Category called
something like "><script>alert(1096)</script>, that piece
of JavaScript will be executed when other users click on
New, which is bad). I have attached a patch for this too.

I also noticed that two other vulnerabilities in ELOG
were marked as Unpatched. Are these two fixed, Stefan?

  o  http://secunia.com/advisories/18124/
  o  http://secunia.com/advisories/22057/

Regards, Ulf Harnhammar

[elog.security2.patch (text/plain, attachment)]

Information forwarded to debian-bugs-dist@lists.debian.org, Recai Oktaş <roktas@debian.org>:
Bug#392016; Package elog. (full text, mbox, link).


Acknowledgement sent to Stefan Ritt <stefan.ritt@psi.ch>:
Extra info received and forwarded to list. Copy sent to Recai Oktaş <roktas@debian.org>. (full text, mbox, link).


Message #42 received at 392016@bugs.debian.org (full text, mbox, reply):

From: Stefan Ritt <stefan.ritt@psi.ch>
To: 392016@bugs.debian.org
Subject: Re: Further security patching of ELOG
Date: Fri, 16 Feb 2007 23:05:57 +0100
Hi,

the vulnerabilities on secunia.com have been fixed long time ago (see 
their recommendation to upgrade).

The patch you supplied is actually not enough to prohibit users from 
entering script code. I fixed following additional cases:

- Enter a user name, full name or email address conaining JavaScript
- Doing a search by entering JavaScript in an attribute search field
- Entering JavaScript in a quick filter text box.

The fixes are contained in SVN revision 1792.

Regards,

  Stefan Ritt



Reply sent to Raphael Geissert <atomo64@gmail.com>:
You have taken responsibility. (full text, mbox, link).


Notification sent to Moritz Muehlenhoff <jmm@debian.org>:
Bug acknowledged by developer. (full text, mbox, link).


Message #47 received at 392016-done@bugs.debian.org (full text, mbox, reply):

From: Raphael Geissert <atomo64@gmail.com>
To: 392016-done@bugs.debian.org
Subject: elog has been removed from Debian, closing #392016
Date: Thu, 15 May 2008 14:14:42 -0500
Version: 2.6.3+r1764-1.1+rm

The elog package has been removed from Debian testing, unstable and
experimental, so I am now closing the remaining open bugs.

For more information about this package's removal, read
http://bugs.debian.org/472279 . That bug might give the reasons why
this package was removed, and suggestions of possible replacements.

Don't hesitate to reply to this mail if you have any question.

Thank you for your contribution to Debian.

Kind regards,
--
Raphael Geissert




Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sun, 10 Aug 2008 10:16:45 GMT) (full text, mbox, link).


Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Fri Aug 2 00:07:17 2024; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.