Lucene search
Eric Sesterhenn1337DAY-ID-31142HistorySep 21, 2018 - 12:00 a.m.
mgetty 1.2.0 Buffer Overflow / Privilege Escalation Vulnerabilities
2018-09-2100:00:00
Eric Sesterhenn
0day.today
37
0.001 Low
EPSS
Percentile
40.3%
mgetty version 1.2.0 suffers from buffer overflow, code execution, and various other privilege escalation related vulnerabilities.
Multiple Vulnerabilities in mgetty
==================================
Overview
- --------
Confirmed Affected Versions: 1.2.0
Patched Versions: 1.2.1
Vendor: mgetty
Vendor URL: http://mgetty.greenie.net
Credit: X41 D-Sec GmbH, Eric Sesterhenn
Status: Public
Advisory-URL: https://www.x41-dsec.de/lab/advisories/x41-2018-007-mgetty
Summary and Impact
- ------------------
Multiple issues have been identified in the mgetty fax software. These
might be used by local users to elevate their privileges.
X41 did not perform a full test or audit on the software.
Product Description
- -------------------
- From the vendor: For those of you that do not know mgetty+sendfax yet:
it's a reliable and proven fax send and receive solution for unix and
Linux. But it can do much more... so read the docs and be surprised.
Shell injection via faxq-helper
===============================
Severity Rating: Medium
Vector: Fax Job
CVE: CVE-2018-16741
CWE: 78
CVSS Score: 6.1
CVSS Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N
In fax/faxq-helper.c function do_activate(), not all characters are
properly sanitized to prevent command injection. It is possible to use
||, && or > to change the control flow.
{% highlight c %}
/* replace all quote characters, backslash and ';' by '' */
for( q = buf; *q != '\0'; q++ )
{
if ( *q == '\'' || *q == '"' || *q == '`' ||
*q == '\' || *q == ';' )
{ *q = ''; }
}
{% endhighlight %}
A job file containing malicious input can be constructed using
faxq-helper activate <jobid>. One faxrunq is started, the code is
executed as the user running the command.
{% highlight bash %}
/* replace all quote characters, backslash and ';' by '' */
# " ' \ $ ;
command=tr -d '\042\047\140\134\044\073' <JOB | \
$AWK 'BEGIN { phone="-"; flags=""; pages="" }
$1=="phone" { phone=$2 }
$1=="header" { flags=flags" -h "$2 }
$1=="poll" { flags=flags" -p" }
$1=="normalres" { flags=flags" -n" }
$1=="accthandle" { flags=flags" -A
\""substr($0,13)"\"" }
$1=="pages" { for( i=2; i<=NF; i++) pages=pages$i" " }
END { printf "'"$FAXSENDER"' -v%s %s %s", \
flags, phone, pages }' -`
execute faxsend command
=======================
$echo "$command"
eval $command
{% endhighlight %}
Stack Based Buffer Overflow With Long Username in
contrib/next-login/login.c
============================================================================
Severity Rating: Low
Vector: Command Line Parameter
CVE: CVE-2018-16743
CWE: 121
CVSS Score: 2.9
CVSS Vector: CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N
In file contrib/next-login/login.c the command line parameter username
is passed unsanitized to strcpy(), which causes a stack based buffer
overflow if too long.
{% highlight c %}
char tbuf[MAXPATHLEN + 2], tname[sizeof(PATHTTY) + 10];
...
if (*argv) {
username = *argv;
ask = 0;
...
if (failures && strcmp(tbuf, username)) {
if (failures > (pwd ? 0 : 1))
badlogin(tbuf);
failures = 0;
}
(void)strcpy(tbuf, username);
{% endhighlight %}
Stack Based Buffer Overflow With Long Argument in contrib/scrts.c
=================================================================
Severity Rating: Low
Vector: Command Line Parameter
CVE: CVE-2018-16742
CWE: 121
CVSS Score: 2.9
CVSS Vector: CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N
In file contrib/scrts.c a stack buffer overflow can be triggered via
command line parameter.
{% highlight c %}
int main( int argc, char ** argv )
{
int i, fd;
struct termios tio;
char device[1000];
for ( i=1; i<argc; i++ )
{
if ( strchr( argv[i], '/' ) == NULL )
sprintf( device, "/dev/%s", argv[i] );
else
strcpy( device, argv[i] );
{% endhighlight %}
Stack Based Buffer Overflow and Command injection in faxrec.c
=============================================================
Severity Rating: Low
Vector: Command Line Parameter
CVE: CVE-2018-16744 (for command injection), CVE-2018-16745 (for overflow)
CWE: 121
CVSS Score: 2.9
CVSS Vector: CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N
In file faxrec.c function fax_notify_mail(), the mail_to parameter is
not sanitized. It could allow for command injection or a buffer
overflow if it is too long. If is called from facrec() which in turn
is called from main() in mgetty.c. Since the notify_mail parameter is
a configuration parameter, it should only be possible to set it from
trusted source. If mgetty would be used with e.g. a webfront end, this
might be abused for a privilege escalation.
{% highlight c %}
void faxnotifymail P3( (pagenum, ppagenum, mailto),
int pagenum, int ppagenum, char * mailto )
{
FILE * pipefp;
char * filename, * p;
char buf[256];
int r;
timet ti;
lprintf( LNOISE, "faxnotifymail: sending mail to: %s", mailto );
sprintf( buf, "%s %s >/dev/null 2>&1", MAILER, mailto );
pipefp = popen( buf, "w" );
{% endhighlight %}
Endless loop in g3/g32pbm.c
===========================
When converting g32 files using g3/g32pbm.c, an endless loop can be
triggered by malformed input file. Example can be found at
files/g32pmbinfiniteloop.
Out Of Bounds Access in g3/pbm2g3.c
===================================
When converting pbm files using g3/pbm2g3.c, out of bounds accesses
can occur with malformed input files in putwhitespan(). An example can
be found with files/pbm2g2oobaccess.
{% highlight c %}
putcode( twhite[l].bitcode, twhite[l].bitlength );
{% endhighlight %}
Workaround
- ----------
None.
Timeline
- --------
2018-06-07 Issues found
2018-08-27 Issue reported to vendor
2018-08-28 Vendor reply
2018-09-08 Vendors sends patches
2018-09-08 CVE IDs requested
2018-09-09 CVE IDs assigned
2018-09-11 Patched Version released
2018-09-11 Advisory released
# 0day.today [2018-09-22] #Related
suse
suse
Security update for mgetty (moderate)
2018-10-12 12:10:55
Security update for mgetty (important)
2018-09-28 21:08:15
openvas
openvas
openSUSE: Security Advisory for mgetty (openSUSE-SU-2018:3108-1)
2018-10-13 00:00:00
SUSE: Security Advisory (SUSE-SU-2018:2894-1)
2021-06-09 00:00:00
Mageia: Security Advisory (MGASA-2018-0402)
2022-01-28 00:00:00
nessus
nessus
SUSE SLED12 / SLES12 Security Update : mgetty (SUSE-SU-2018:2979-1)
2018-10-03 00:00:00
openSUSE Security Update : mgetty (openSUSE-2018-1144)
2018-10-15 00:00:00
SUSE SLES11 Security Update : mgetty (SUSE-SU-2018:2850-1)
2018-09-27 00:00:00
mageia
mageia
Updated mgetty packages fix security vulnerabilities
2018-10-19 21:00:37
fedora
fedora
[SECURITY] Fedora 29 Update: mgetty-1.1.37-11.fc29
2019-02-27 03:29:09
[SECURITY] Fedora 28 Update: mgetty-1.1.37-10.fc28
2019-02-27 01:16:25
rosalinux
rosalinux
Advisory ROSA-SA-2021-1919
2021-07-02 17:29:39
nvd
nvd
prion
prion
Stack overflow
2018-09-13 16:29:00
Stack overflow
2018-09-13 16:29:00
Command injection
2018-09-13 16:29:00
redhatcve
redhatcve
debiancve
debiancve
cve
cve
cvelist
cvelist
ubuntucve
ubuntucve
debian
debian
[SECURITY] [DLA 1502-1] mgetty security update
2018-09-12 06:31:55
[SECURITY] [DSA 4291-1] mgetty security update
2018-09-11 20:03:31
osv
osv
mgetty - security update
2018-09-11 00:00:00
mgetty - security update
2018-09-12 00:00:00
ibm
ibm
Security Bulletin: Vyatta 5600 vRouter Software Patches - Release 1801r
2018-10-26 21:10:01