Bugtraq mailing list archives
[CERT-intexxia] AOLServer DB Proxy Daemon Format String Vulnerability
From: Benoît Roussel <benoit.roussel () intexxia com>
Date: Tue, 16 Apr 2002 13:53:22 +0200
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
________________________________________________________________________
SECURITY ADVISORY INTEXXIA(c)
30 01 2002 ID #1052-300102
________________________________________________________________________
TITLE : AOLServer DB Proxy Daemon Format String Vulnerability
CREDITS : Guillaume Pelat found this vulnerability / INTEXXIA
________________________________________________________________________
SYSTEM AFFECTED
===============
AOLServer 3.4.2
AOLServer 3.4.1
AOLServer 3.4
AOLServer 3.3.1
AOLServer 3.2.1
AOLServer 3.2
AOLServer 3.1
AOLServer 3.0
________________________________________________________________________
DESCRIPTION
===========
The Laboratory intexxia found a format string vulnerability in
the AOL Server external database driver proxy daemon API that could lead
to a privilege escalation.
________________________________________________________________________
DETAILS
=======
AOL Server provides an API to develop external database driver
proxy daemons. Those daemons are linked to a library (libnspd.a).
The Laboratory intexxia found a format string and a buffer overflow
vulnerability in the 'Ns_PdLog' function of the library. Successful
exploitation of the bug could allow an attacker to execute code and get
access on the system.
As a result, all the External Driver Proxy Daemons using the 'Ns_PdLog'
function with the 'Error' or 'Notice' parameter are potentially
vulnerable.
________________________________________________________________________
SOLUTION
========
This vulnerability has been fixed in the current version in CVS
branch nsd_v3_r3_p0 (post-AOLserver 3.4.2) and can be used for any
affected version. The patch used was created by intexxia and can be
found in attachment. More information can be found at the following
URL :
http://cvs.sourceforge.net/cgi-bin/viewcvs.cgi/aolserver/aolserver/nspd/log.c.diff?r1=1.4&r2=1.4.6.1
________________________________________________________________________
VENDOR STATUS
=============
14-03-2002 : This bulletin was sent to the developpement team.
19-03-2002 : The vendor confirmed the vulnerability and fixed it
in the CVS branch nsd_v3_r3_p0 (post-AOLserver
3.4.2).
________________________________________________________________________
LEGALS
======
AOL Server is a registered trademark.
Intexxia provides this information as a public service and "as
is". Intexxia will not be held accountable for any damage or distress
caused by the proper or improper usage of these materials.
(c) intexxia 2002. This document is property of intexxia. Feel
free to use and distribute this material as long as credit is given to
intexxia and the author.
________________________________________________________________________
CONTACT
=======
CERT intexxia cert () intexxia com
INTEXXIA http://www.intexxia.com
171, av. Georges Clemenceau Standard : +33 1 55 69 49 10
92024 Nanterre Cedex - France Fax : +33 1 55 69 78 80
-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 7.0.3 for non-commercial use <http://www.pgp.com>
iQA/AwUBPLwQr02N8BNyNDXLEQK7yQCfVh/7x6yBxWKEi5iwRDaHEHuilGUAoN+u
14o6inQET/8E4GdnfqgS6Jtj
=YKem
-----END PGP SIGNATURE-----
Attachment:
SA1052-300102_aolserver-3.4.2-security-patched
Description:
Attachment:
SA1052-300102_aolserver-3.4.2-security-patched.sig
Description:
Current thread:
- [CERT-intexxia] AOLServer DB Proxy Daemon Format String Vulnerability Benoît Roussel (Apr 16)