COMMAND

    x-gw

SYSTEMS AFFECTED

    FWTK

PROBLEM

    Following is  based on  a geekgang  Security Advisory [gsa2000-01]
    by Pekka Savola who found the potential problem in the code.   The
    x-gw (X  Windows gateway)  component of  the TIS  Firewall Toolkit
    (FWTK) contains a format bug vulnerability that may be exploitable
    within  some  installations,  allowing  users to execute arbitrary
    code.

    The FWTK contains  a set of  proxy applications that  are designed
    to aid a computing professional in building a firewall system.  It
    is not a complete firewall product  within itself.  As such it  is
    impossible to ascertain all the different configurations in  which
    the various parts of the FWTK have been installed.

    The  x-gw  component  is  designed  to proxy connections bewteen X
    Windows clients and servers.  It would normally be invoked via the
    tn-gw (Telnet gateway) component of the FWTK.  Installations using
    this tn-gw  invocation method  of the  x-gw are  not vulnerable to
    this problem due to pre-processing of input data that is performed
    by the tn-gw.  Installations using any other method to invoke  the
    x-gw should check their vulnerability status.

    The x-gw takes the  X Windows display to  connect to as a  command
    line parameter or environment  variable.  It performs  some sanity
    checking on this  input and reports  an error if  the checks fail.
    The function that outputs the error message has a format bug,  and
    uses the supplied display string as part of the output.

    The function at fault is pmsg() in the source file x-gw/pmsg.c

    An exploit for  this vulnerability will  be made available  on the
    geekgang website.

SOLUTION

    Patch:

    --- x-gw/pmsg.c.orig Mon Oct 23 13:21:26 2000
    +++ x-gw/pmsg.c Mon Oct 23 13:22:36 2000
    @@ -37,9 +37,9 @@
      buf[sizeof(buf)-1] = '\0';
        }
    
    -   if( uselog ) syslog( LLEV, buf );
    +   if( uselog ) syslog( LLEV, "%s", buf );
        else {
    -       fprintf( stderr, buf );
    +       fprintf( stderr, "%s", buf );
            fflush(stderr);
        }
     }

    Don't allow  anyone other  than administrator  to log  in to  your
    firewall directly.  Or, don't run x-gw setuid.