Report forwarded to debian-bugs-dist@lists.debian.org, Debian Security Team <team@security.debian.org>, Recai Oktaş <roktas@debian.org>: Bug#392016; Package elog.
(full text, mbox, link).
Acknowledgement sent to Moritz Muehlenhoff <jmm@debian.org>:
New Bug report received and forwarded. Copy sent to Debian Security Team <team@security.debian.org>, Recai Oktaş <roktas@debian.org>.
(full text, mbox, link).
To: Debian Bug Tracking System <submit@bugs.debian.org>
Cc: debian-audit@shellcode.org
Subject: elog: Needs a security audit
Date: Mon, 09 Oct 2006 19:48:02 +0200
Package: elog
Severity: grave
Tags: security
Justification: user security hole
In #389361 a complete lack of web script sanitising for logbook entries
was discovered and DSA-967 already fixed lots of vulnerabilities.
AFAICT Debian is the only distribution including elog, which seems
to have received relatively few external review. I guess it should
only be included in Etch after an audit by the debian-audit people.
Audit people, do you think you can review it before Etch?
Cheers,
Moritz
-- System Information:
Debian Release: testing/unstable
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: i386 (i686)
Shell: /bin/sh linked to /bin/bash
Kernel: Linux 2.6.18-1-686
Locale: LANG=C, LC_CTYPE=de_DE.ISO-8859-15@euro (charmap=ISO-8859-15)
Information forwarded to debian-bugs-dist@lists.debian.org, Recai Oktaş <roktas@debian.org>: Bug#392016; Package elog.
(full text, mbox, link).
Acknowledgement sent to "Ulf Harnhammar" <metaur@operamail.com>:
Extra info received and forwarded to list. Copy sent to Recai Oktaş <roktas@debian.org>.
(full text, mbox, link).
I'll see what I can do.
// Ulf
--
_______________________________________________
Surf the Web in a faster, safer and easier way:
Download Opera 9 at http://www.opera.com
Powered by Outblaze
Information forwarded to debian-bugs-dist@lists.debian.org, Recai Oktaş <roktas@debian.org>: Bug#392016; Package elog.
(full text, mbox, link).
Acknowledgement sent to "Ulf Harnhammar" <metaur@operamail.com>:
Extra info received and forwarded to list. Copy sent to Recai Oktaş <roktas@debian.org>.
(full text, mbox, link).
Hello,
I have performed a security audit of ELOG and here is what I found:
1) There are some incorrect handling of *printf() calls and format
strings. They lead to ELOG crashing completely, with the potential
of executing arbitrary machine code programs, when a user uploads
and submits as the first attachment in an entry a file called
"%n%n%n%n" - or similar - which must not be empty.
The attached patch fixes this in two places and many other format
string problems just to be sure.
2) There is a Cross-site Scripting issue when requesting correctly
named but non-existant files for downloading, like with this URL:
http://localhost:8080/demo/123456_789012/%3Cscript%3Ealert(%22XSS%22)%3C/script%3E
The attached patch corrects this by quoting the dangerous characters.
3) There are also Cross-site Scripting issues when creating new
entries with New. If a document sends data to ELOG where the
fields Type and Category contain invalid entries with HTML code,
the resulting error document will print the Type or Category data
as-is with no quoting.
The attached patch corrects this minor problem as well.
I have verified that all three problems exist in Debian unstable,
as well as in the upstream ELOG-2.6.2 version. I haven't checked
any other versions (but the upstream SVN trunk looks like it also
has these bugs).
// Ulf Harnhammar, Debian Security Audit Project
http://www.debian.org/security/audit/
--
_______________________________________________
Surf the Web in a faster, safer and easier way:
Download Opera 9 at http://www.opera.com
Powered by Outblaze
Information forwarded to debian-bugs-dist@lists.debian.org, Recai Oktaş <roktas@debian.org>: Bug#392016; Package elog.
(full text, mbox, link).
Acknowledgement sent to metaur@telia.com:
Extra info received and forwarded to list. Copy sent to Recai Oktaş <roktas@debian.org>.
(full text, mbox, link).
* Ulf Harnhammar [2006-11-08 23:14:16+0100]
> I've just verified that elog in stable is vulnerable to
> all issues mentioned in bug #392016.
Thank you very much for looking into this! I've got another report
attached below. I'll look into this problem also and will keep this bug
report open as I think elog should not enter to Etch due to all potential
security issues which increase the work-load on our security team during
the stable release cycle.
---------------------------------->8---------------------------------------
FYI
Hi,
We are working with Mr. Stefan Ritt on this issue and waiting for the fix.
Thanks,
OS2A
Forwarded Conversation
Subject: ELOG Web Logbook Remote Denial of Service Vulnerability
------------------------
From: OS2A BTO <os2a.bto@gmail.com>
To: stefan.ritt@psi.ch
Date: Wed, Nov 8, 2006 at 6:12 PM
Attachments: os2a_1008.txt
Hi,
We recently came across a Denial of Service vulnerability in ELOG's
elogd server which allows attackers to crash the service, thereby preventing
legitimate access.
Attached is our security advisory which describes the vulnerability in detail.
Please let us know the time you might require to fix this issue.
And also let us know if you have any questions.
A quick and positive response from your side would be highly appreciated.
Thanks,
OS2A Team.
--------
From: Stefan Ritt <stefan.ritt@psi.ch>
To: OS2A BTO <os2a.bto@gmail.com>
Date: Wed, Nov 8, 2006 at 6:31 PM
Dear OS2A team,
thank you for reporting this vulnerability and for the detailed
analysis, I really appreciate. I fixed this problem and just released
version 2.6.2-7 (SVN revision 1746).
Best regards,
Stefan Ritt
--
Dr. Stefan Ritt Phone: +41 56 310 3728
Paul Scherrer Institute FAX: +41 56 310 2199
OLGA/021 mailto:stefan.ritt@psi.ch
CH-5232 Villigen PSI http://midas.psi.ch/~stefan
[Quoted text hidden]>
------------------------------------------------------------------------
>
> ELOG Web Logbook Remote Denial of Service Vulnerability
>
>
> OS2A ID: OS2A_1008 Status:
> 10/31/2006 Issue Discovered
> 11/08/2006 Reported to the Vendor
> -- Fixed by Vendor
> -- Advisory Released
>
>
> Class: Denial of Service Severity: Medium
>
>
> Overview:
> ---------
> The Electronic Logbook (ELOG) is part of a family of applications known as
> weblogs. ELOG is a remarkable implementation of a weblog in its simplicity of
> use and versatility.
> http://midas.psi.ch/elog/index.html
>
> Description:
> ------------
> Remote exploitation of a denial of service vulnerability in ELOG's
> elogd server allows attackers to crash the service, thereby preventing
> legitimate access.
>
> The [global] section in configuration file elogd.cfg is used for settings
> common to all logbooks. The vulnerability is due to improper handling of an
> HTTP GET request if logbook name 'global' (or any logbook name prefixed
> with global) is used in the request. When such a request is received,
> a NULL pointer dereference occurs, leading to a crash of the service.
>
> Only authenticated users can exploit this vulnerability if the application
> is configured with password.
>
> Impact:
> -------
> Successful exploitation allows a remote attacker to crash the elogd server.
>
> Affected Software(s):
> ---------------------
> ELOG 2.6.2 and prior.
>
> Proof of Concept:
> -----------------
> The HTTP GET request given below is sufficient to crash affected server:
> http://www.example.com/global/
>
> Analysis:
> -----------
> #gdb ./elogd
> ...
> ...
>
> (gdb) break show_elog_list
> Breakpoint 2 at 0x809d6e0
>
> (gdb) c
> Continuing.
> (no debugging symbols found)
> elogd 2.6.2 built Nov 8 2006, 01:25:48 revision 1699
> Falling back to default group "elog"
> Falling back to default user "elog"
> Indexing logbooks ... done
> Server listening on port 8080 ...
>
> Breakpoint 2, 0x0809d6e0 in show_elog_list ()
> (gdb) c
> Continuing.
>
> Program received signal SIGSEGV, Segmentation fault.
> 0x0809eb7a in show_elog_list ()
>
> (gdb) bt
> #0 0x0809eb7a in show_elog_list ()
> #1 0x00000000 in ?? ()
>
> (gdb) i r
> eax 0x0 0
> ecx 0x9d43d88 164904328
> edx 0x0 0
> ebx 0x0 0
> esp 0xbfa8aca0 0xbfa8aca0
> ebp 0x80df40c 0x80df40c
> esi 0xbfb27050 -1078824880
> edi 0x0 0
> eip 0x809eb7a 0x809eb7a
> eflags 0x200246 2097734
> cs 0x73 115
> ss 0x7b 123
> ds 0x7b 123
> es 0x7b 123
> fs 0x0 0
> gs 0x33 51
>
> (gdb) x/i $eip
> 0x809eb7a <show_elog_list+5274>: mov (%eax),%eax
>
> The vulnerable code is at Line:16774 of elogd.c,
> n_msg = *lbs->n_el_index;
> where the pointer lbs is dereferenced before being null checked.
>
> --- elogd.c, Line:16772 -----
>
> } else {
> n_logbook = 1;
> n_msg = *lbs->n_el_index;
> }
>
> msg_list = xmalloc(sizeof(MSG_LIST) * n_msg);
>
> ---elogd.c, Line:16778 -----
>
>
> CVSS Score Report:
> -----------------
> ACCESS_VECTOR = REMOTE
> ACCESS_COMPLEXITY = LOW
> AUTHENTICATION = NOT_REQUIRED
> CONFIDENTIALITY_IMPACT = NONE
> INTEGRITY_IMPACT = NONE
> AVAILABILITY_IMPACT = COMPLETE
> IMPACT_BIAS = AVAILABILITY
> EXPLOITABILITY = FUNCTIONAL
> REMEDIATION_LEVEL = WORKAROUND
> REPORT_CONFIDENCE = CONFIRMED
> CVSS Base Score = 5.0 (AV:R/AC:L/Au:NR/C:N/I:N/A:C/B:A)
> CVSS Temporal Score = 4.5
> Risk factor = Medium
>
>
> Vendor Response:
> ---------------
>
>
>
> Solution:
> ---------
> Before using the pointer, ensure that it is not equal to NULL.
> eg:
>
> if(!lbs->n_el_index) {
> /* handle the null pointer dereference condition here */
> }
>
> Credits:
> -------
> Jayesh KS and Arun Kethipelly of OS2A have been credited with the discovery and
> analysis of this vulnerability.
>
--------
From: OS2A BTO <os2a.bto@gmail.com>
To: Stefan Ritt <stefan.ritt@psi.ch>
Date: Wed, Nov 8, 2006 at 7:27 PM
Dear Stefan Ritt,
Thanks for the quick response.
We tested the fix you provided and still seems to be having the problem.
We created another logbook named 'global', after the logbook 'demo',
in the configuration file elogd.cfg and tried accessing the server
with http://elogsite:8080/global/.
Its giving segmentation fault.
This is the configuration file we used:
------elogd.cfg------------
[global]
port = 8080
[demo]
Theme = default
Comment = General linux tips & tricks
Attributes = Author, Type, Category, Subject
Options Type = Routine, Software Installation, Problem Fixed,
Configuration, Other
Options Category = General, Hardware, Software, Network, Other
Extendable Options = Category
Required Attributes = Author, Type
Page Title = ELOG - $subject
Reverse sort = 1
Quick filter = Date, Type
[global]
Theme = default
Comment = General linux tips & tricks
Attributes = Author, Type, Category, Subject
Options Type = Routine, Software Installation, Problem Fixed,
Configuration, Other
Options Category = General, Hardware, Software, Network, Other
Extendable Options = Category
Required Attributes = Author, Type
Page Title = ELOG - $subject
Reverse sort = 1
Quick filter = Date, Type
-------------elogd.cfg---------------------
Thanks,
OS2A
[Quoted text hidden]
--------
From: Stefan Ritt <stefan.ritt@psi.ch>
To: OS2A BTO <os2a.bto@gmail.com>
Date: Wed, Nov 8, 2006 at 7:39 PM
Can you try again? I just updated 2.6.2-7, it's now SVN revision 1747.
Having a [global] section plus a [global] logbook is a severe
misconfiguration, so I did not try that combination before. But now it
should be fixed.
- Stefan
[Quoted text hidden]
--------
From: OS2A BTO <os2a.bto@gmail.com>
To: Stefan Ritt <stefan.ritt@psi.ch>
Date: Wed, Nov 8, 2006 at 7:54 PM
Hi,
If we create any other directory prefixed with global in configuration
file, and try the same in URL, it again crashes.
I created a logbook names 'global__' in elogd.cfg and tried to access
http://192.168.3.5:8080/global__/
it crashed again.
---------------------------------->8---------------------------------------
--
roktas
Information forwarded to debian-bugs-dist@lists.debian.org, Recai Oktaş <roktas@debian.org>: Bug#392016; Package elog.
(full text, mbox, link).
Acknowledgement sent to "OS2A BTO" <os2a.bto@gmail.com>:
Extra info received and forwarded to list. Copy sent to Recai Oktaş <roktas@debian.org>.
(full text, mbox, link).
Information forwarded to debian-bugs-dist@lists.debian.org, Recai Oktaş <roktas@debian.org>: Bug#392016; Package elog.
(full text, mbox, link).
Acknowledgement sent to metaur@telia.com:
Extra info received and forwarded to list. Copy sent to Recai Oktaş <roktas@debian.org>.
(full text, mbox, link).
Hello,
while browsing the ELOG entries at Secunia, I saw that my
security bugs in ELOG were only marked as partially fixed.
After some investigation, I found out that one more patch
was needed to close the XSS bug when handling Categories
(more specifically, when Adding a new Category called
something like "><script>alert(1096)</script>, that piece
of JavaScript will be executed when other users click on
New, which is bad). I have attached a patch for this too.
I also noticed that two other vulnerabilities in ELOG
were marked as Unpatched. Are these two fixed, Stefan?
o http://secunia.com/advisories/18124/
o http://secunia.com/advisories/22057/
Regards, Ulf Harnhammar
Information forwarded to debian-bugs-dist@lists.debian.org, Recai Oktaş <roktas@debian.org>: Bug#392016; Package elog.
(full text, mbox, link).
Acknowledgement sent to Stefan Ritt <stefan.ritt@psi.ch>:
Extra info received and forwarded to list. Copy sent to Recai Oktaş <roktas@debian.org>.
(full text, mbox, link).
Hi,
the vulnerabilities on secunia.com have been fixed long time ago (see
their recommendation to upgrade).
The patch you supplied is actually not enough to prohibit users from
entering script code. I fixed following additional cases:
- Enter a user name, full name or email address conaining JavaScript
- Doing a search by entering JavaScript in an attribute search field
- Entering JavaScript in a quick filter text box.
The fixes are contained in SVN revision 1792.
Regards,
Stefan Ritt
Reply sent to Raphael Geissert <atomo64@gmail.com>:
You have taken responsibility.
(full text, mbox, link).
Notification sent to Moritz Muehlenhoff <jmm@debian.org>:
Bug acknowledged by developer.
(full text, mbox, link).
Subject: elog has been removed from Debian, closing #392016
Date: Thu, 15 May 2008 14:14:42 -0500
Version: 2.6.3+r1764-1.1+rm
The elog package has been removed from Debian testing, unstable and
experimental, so I am now closing the remaining open bugs.
For more information about this package's removal, read
http://bugs.debian.org/472279 . That bug might give the reasons why
this package was removed, and suggestions of possible replacements.
Don't hesitate to reply to this mail if you have any question.
Thank you for your contribution to Debian.
Kind regards,
--
Raphael Geissert
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sun, 10 Aug 2008 10:16:45 GMT) (full text, mbox, link).
Debbugs is free software and licensed under the terms of the GNU General
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.