COMMAND
x-gw
SYSTEMS AFFECTED
FWTK
PROBLEM
Following is based on a geekgang Security Advisory [gsa2000-01]
by Pekka Savola who found the potential problem in the code. The
x-gw (X Windows gateway) component of the TIS Firewall Toolkit
(FWTK) contains a format bug vulnerability that may be exploitable
within some installations, allowing users to execute arbitrary
code.
The FWTK contains a set of proxy applications that are designed
to aid a computing professional in building a firewall system. It
is not a complete firewall product within itself. As such it is
impossible to ascertain all the different configurations in which
the various parts of the FWTK have been installed.
The x-gw component is designed to proxy connections bewteen X
Windows clients and servers. It would normally be invoked via the
tn-gw (Telnet gateway) component of the FWTK. Installations using
this tn-gw invocation method of the x-gw are not vulnerable to
this problem due to pre-processing of input data that is performed
by the tn-gw. Installations using any other method to invoke the
x-gw should check their vulnerability status.
The x-gw takes the X Windows display to connect to as a command
line parameter or environment variable. It performs some sanity
checking on this input and reports an error if the checks fail.
The function that outputs the error message has a format bug, and
uses the supplied display string as part of the output.
The function at fault is pmsg() in the source file x-gw/pmsg.c
An exploit for this vulnerability will be made available on the
geekgang website.
SOLUTION
Patch:
--- x-gw/pmsg.c.orig Mon Oct 23 13:21:26 2000
+++ x-gw/pmsg.c Mon Oct 23 13:22:36 2000
@@ -37,9 +37,9 @@
buf[sizeof(buf)-1] = '\0';
}
- if( uselog ) syslog( LLEV, buf );
+ if( uselog ) syslog( LLEV, "%s", buf );
else {
- fprintf( stderr, buf );
+ fprintf( stderr, "%s", buf );
fflush(stderr);
}
}
Don't allow anyone other than administrator to log in to your
firewall directly. Or, don't run x-gw setuid.