X41 D-Sec GmbH Security Advisory: X41-2018-007

Multiple Vulnerabilities in mgetty

Overview

Confirmed Affected Versions: 1.2.0

Patched Versions: 1.2.1

Vendor: mgetty

Vendor URL: http://mgetty.greenie.net

Credit: X41 D-Sec GmbH, Eric Sesterhenn

Status: Public

Advisory-URL: https://www.x41-dsec.de/lab/advisories/x41-2018-007-mgetty

Summary and Impact

Multiple issues have been identified in the mgetty fax software. These might be used by local users to elevate their privileges.

X41 did not perform a full test or audit on the software.

Product Description

From the vendor: For those of you that do not know mgetty+sendfax yet: it's a reliable and proven fax send and receive solution for unix and Linux. But it can do much more... so read the docs and be surprised.

Shell injection via faxq-helper

Severity Rating: Medium

Vector: Fax Job

CVE: CVE-2018-16741

CWE: 78

CVSS Score: 6.1

CVSS Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N

In fax/faxq-helper.c function do_activate(), not all characters are properly sanitized to prevent command injection. It is possible to use ||, && or > to change the control flow.

        /* replace all quote characters, backslash and ';' by '_' */            
        for( q = buf; *q != '\0'; q++ )                                         
        {                                                                       
            if ( *q == '\'' || *q == '"' || *q == '`' ||                        
                 *q == '\\' || *q == ';' )                                      
                                    { *q = '_'; }                               
        }   

A job file containing malicious input can be constructed using faxq-helper activate <jobid>. One faxrunq is started, the code is executed as the user running the command.

        /* replace all quote characters, backslash and ';' by '_' */            
    #               "   '    `  \    $   ;
    command=`tr -d '\042\047\140\134\044\073' <JOB | \                          
             $AWK 'BEGIN { phone="-"; flags=""; pages="" }                      
                  $1=="phone" { phone=$2 }                                      
                  $1=="header"     { flags=flags" -h "$2 }                      
                  $1=="poll"       { flags=flags" -p" }                         
                  $1=="normal_res" { flags=flags" -n" }                         
                  $1=="acct_handle" { flags=flags" -A \""substr($0,13)"\"" }    
                  $1=="pages" { for( i=2; i<=NF; i++) pages=pages$i" " }        
                  END { printf "'"$FAX_SENDER"' -v%s %s %s", \                  
                               flags, phone, pages }' -`                        
                                                                                
#                                                                               
# execute faxsend command                                                       
#                                                                               
    $echo "$command"                                                            
    eval $command     

Stack Based Buffer Overflow With Long Username in contrib/next-login/login.c

Severity Rating: Low

Vector: Command Line Parameter

CVE: CVE-2018-16743

CWE: 121

CVSS Score: 2.9

CVSS Vector: CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N

In file contrib/next-login/login.c the command line parameter username is passed unsanitized to strcpy(), which causes a stack based buffer overflow if too long.

        char tbuf[MAXPATHLEN + 2], tname[sizeof(_PATH_TTY) + 10];               
...
        if (*argv) {                                                            
                username = *argv;                                               
                ask = 0; 
...
                if (failures && strcmp(tbuf, username)) {                       
                        if (failures > (pwd ? 0 : 1))                           
                                badlogin(tbuf);                                 
                        failures = 0;                                           
                }                                                               
                (void)strcpy(tbuf, username); 

Stack Based Buffer Overflow With Long Argument in contrib/scrts.c

Severity Rating: Low

Vector: Command Line Parameter

CVE: CVE-2018-16742

CWE: 121

CVSS Score: 2.9

CVSS Vector: CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N

In file contrib/scrts.c a stack buffer overflow can be triggered via command line parameter.

int main( int argc, char ** argv )                                              
{                                                                               
int i, fd;                                                                      
struct termios tio;                                                             
char device[1000];                                                              
                                                                                
    for ( i=1; i<argc; i++ )                                                    
    {                                                                           
        if ( strchr( argv[i], '/' ) == NULL )                                   
            sprintf( device, "/dev/%s", argv[i] );                              
        else                                                                    
            strcpy( device, argv[i] );

Stack Based Buffer Overflow and Command injection in faxrec.c

Severity Rating: Low

Vector: Command Line Parameter

CVE: CVE-2018-16744 (for command injection), CVE-2018-16745 (for overflow)

CWE: 121

CVSS Score: 2.9

CVSS Vector: CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N

In file faxrec.c function fax_notify_mail(), the mail_to parameter is not sanitized. It could allow for command injection or a buffer overflow if it is too long. If is called from facrec() which in turn is called from main() in mgetty.c. Since the notify_mail parameter is a configuration parameter, it should only be possible to set it from trusted source. If mgetty would be used with e.g. a webfront end, this might be abused for a privilege escalation.

void fax_notify_mail _P3( (pagenum, ppagenum, mail_to),
                          int pagenum, int ppagenum, char * mail_to )
{
FILE  * pipe_fp;
char  * file_name, * p;
char    buf[256];
int     r;
time_t  ti;

    lprintf( L_NOISE, "fax_notify_mail: sending mail to: %s", mail_to );

    sprintf( buf, "%s %s >/dev/null 2>&1", MAILER, mail_to );

    pipe_fp = popen( buf, "w" );

Endless loop in g3/g32pbm.c

When converting g32 files using g3/g32pbm.c, an endless loop can be triggered by malformed input file. Example can be found at https://github.com/x41sec/advisories/blob/master/X41-2018-007/files/g32pmb_infinite_loop.

Out Of Bounds Access in g3/pbm2g3.c

When converting pbm files using g3/pbm2g3.c, out of bounds accesses can occur with malformed input files in putwhitespan(). An example can be found with https://github.com/x41sec/advisories/blob/master/X41-2018-007/files/pbm2g2_oob_access.

     putcode( t_white[l].bit_code, t_white[l].bit_length );

Workaround

None.

Timeline

2018-06-07 Issues found

2018-08-27 Issue reported to vendor

2018-08-28 Vendor reply

2018-09-08 Vendors sends patches

2018-09-08 CVE IDs requested

2018-09-09 CVE IDs assigned

2018-09-11 Patched Version released

2018-09-11 Advisory released

About X41 D-SEC GmbH

X41 is an expert provider for application security services. Having extensive industry experience and expertise in the area of information security, a strong core security team of world class security experts enables X41 to perform premium security services.

Fields of expertise in the area of application security are security centered code reviews, binary reverse engineering and vulnerability discovery. Custom research and a IT security consulting and support services are core competencies of X41.

Author: Eric Sesterhenn
Date: September 11, 2018