8786326 2002-07-29 10:02 -0700  /104 rader/ Lee Howard <faxguy@deanox.com>
Sänt av: joel@lysator.liu.se
Importerad: 2002-07-29  20:23  av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Extern kopiemottagare: hylafax-announce@hylafax.org
Externa svar till: faxguy@deanox.com
Mottagare: Bugtraq (import) <23321>
Ärende: HylaFAX - Various Vulnerabilities Fixed
------------------------------------------------------------
From: Lee Howard <faxguy@deanox.com>
To: bugtraq@securityfocus.com
Cc: hylafax-announce@hylafax.org
Message-ID: <20020729170206.GK1222@bilbo>

HylaFAX.org Security Advisory
17 June 2002

Subject: Various Vulnerabilities Fixed


Introduction:

HylaFAX is a mature (est. 1991) enterprise-class open-source software
package for sending and receiving facsimiles as well as for sending
alpha-numeric pages.  It runs on a wide variety of UNIX-like
platforms including Linux, BSD (including Mac OS X), SunOS and
Solaris, SCO, IRIX, AIX, and HP-UX.  See http://www.hylafax.org

HylaFAX.org has hosted, distributed, and directed HylaFAX software
development since 1997.

iFax Solutions is the commercial support arm of HylaFAX.org and
provides single-incident or annual support contracts as well as other
commercial support options.  See http://www.hylafax.org/support.html


Problem Description and Impact:

iFax Solutions recently discovered that HylaFAX faxgetty in versions
prior to 4.1.3 does not check the TSI string which is received from
the remote facsimile system before it uses it in logging and
elsewhere.  However, reception protocol limits the length of the TSI
string to twenty characters.  Consequently, a remote sender with a
specially-formatted TSI string can cause faxgetty to segmentation
fault, and although it is unlikely that this could be used to execute
arbitrary commands, it does  expose an easily exploitable denial of
service vulnerability.

Development discussion to eliminate this vulnerability is available
at: http://bugs.hylafax.org/bugzilla/show_bug.cgi?id=300

Christer Oberg reported on Bugtraq in September 2001 that HylaFAX
faxrm and faxalter had format strings vulnerabilities (see
http://www.securityfocus.com/archive/1/215984).  HylaFAX development
found this vulnerability to be applicable to all executables in
versions prior to 4.1.3 which accept the "-h host" option because the
mentioned user input was not checked before sending an error message
to standard error/output.  These binaries include faxalter, faxrm,
faxstat, sendfax, sendpage, and faxwatch.  In distributions such as
FreeBSD which independently made any of these binaries set-uid (not
the HylaFAX default), an attacker could use these vulnerabilites to
gain elevated system privileges.

Development discussion to eliminate these vulnerabilities is
available at: http://bugs.hylafax.org/bugzilla/show_bug.cgi?id=202

CAN-2001-1034 was assigned to this vulnerability.  See 
http://www.securityfocus.com/bid/3357 for details.

In recent testing, Lee Howard discovered that faxgetty would segfault
due  to a buffer overflow after receiving a very large line of image
data.   Potentially, this vulnerability could allow an attacker to
maliciously  craft an exploiting faxsend mechanism to call a
vulnerable host,  conceivably using the buffer overflow to execute
arbitrary commands on the  host system.  Since on most installations
faxgetty is run as root, such an  exploitation would allow the abuse
of root permissions.  This  vulnerability could more easily be abused
for denial of service purposes.

Development discussion to eliminate this vulnerability is available
at: http://bugs.hylafax.org/bugzilla/show_bug.cgi?id=312

Status:

HylaFAX development has corrected all of the vulnerabilities
described here as well as provided numerous other bugfixes and
enhancements in its recent 4.1.3 patchlevel code release.  All users
are strongly encouraged to upgrade.  See
http://www.hylafax.org/download.html to obtain 4.1.3 source code.

For users who are somehow unable to upgrade, HylaFAX CVS-based
patches are available for these vulnerabilities individually at
http://bugs.hylafax.org/bugzilla/attachment.cgi?id=290&action=view,
http://bugs.hylafax.org/bugzilla/attachment.cgi?id=300&action=view,
and
http://bugs.hylafax.org/bugzilla/attachment.cgi?id=318&action=view
respectively.

There are no known exploits for any of the described vulnerabilities
beyond what is stated above.


Thanks:

Special thanks goes to iFax Solutions and Christer Oberg for pointing
out these vulnerabilities to HylaFAX development.  Many thanks also
go to Vyacheslav Frolov and Patrice Fournier for their development
work in providing these patches.

--
Lee Howard
HylaFAX Support Engineer
iFax Solutions, Inc.
lee.howard@hylafax.org
(8786326) /Lee Howard <faxguy@deanox.com>/(Ombruten)