Bug#412544: Error libc6 amd64 function strlen()

[Pierre Habouzit <madcoder@debian.org>]

reassign 412544 nessus-core
thanks

On Mon, Feb 26, 2007 at 07:19:41PM +0100, José Miguel Holguin Aparicio wrote:
> package: libc6
> version: 2.3.6.ds1-11
> 
> When i invoke nessus with args :
> 
> $nessus -q ip port user pass /tmp/host /tmp/host.nbe -T nbe
> 
> Result :
> *** The plugins that have the ability to crash remote services or hosts
> have been disabled. You should activate them if you want your security
> audit to be complete
> Segmentation fault.
> 
> More information with gdb :
> *** The plugins that have the ability to crash remote services or hosts
> have been disabled. You should activate them if you want your security
> audit to be complete
> 
> Program received signal SIGSEGV, Segmentation fault.
> 0x00002b70565db5b0 in strlen () from /lib/libc.so.6
> 
> (gdb) info stack
> #0  0x00002b70565db5b0 in strlen () from /lib/libc.so.6
> #1  0x00002b70565ad4bc in vfprintf () from /lib/libc.so.6
> #2  0x00002b70565cd72a in vsnprintf () from /lib/libc.so.6
> #3  0x0000000000403949 in network_printf (data=0x429110 "%s <|> %s\n") at 
> auth.c:100
> #4  0x000000000040467c in cli_send_prefs_arglist (pref=0x21bda90, 
> upload=0x7fff5536da88, pprefs=<value optimized out>)
>    at comm.c:604
> #5  0x0000000000404941 in comm_send_preferences (preferences=<value 
> optimized out>) at comm.c:630
> #6  0x0000000000409849 in attack_host (hostname=0x244fe60 "192.168.0.2", 
> preferences=0x573050) at attack.c:162
> #7  0x00000000004068a1 in cli_test_network (cli=0x5730b0) at cli.c:448
> #8  0x0000000000424c64 in main (argc=<value optimized out>, 
> argv=0x7fff5536dc88) at nessus.c:1273
> (gdb) select-frame 3
> (gdb) list auth.c:100
> 95        va_start(param, data);
> 96
> 97
> 98        for(;;)
> 99        {
> 100        r = vsnprintf(buffer, s - 1, data, param);
> 101        if(r >= 0 && r < s)break;
> 102        s = r > s ? r + 2 : s * 2;
> 103        buffer = erealloc(buffer, s);
> 104       }
> (gdb)
> 105       len = strlen(buffer);
> 106       while(n < len)
> 107       {
> 108        int m = 0;
> 109        int size = 1024;
> 110        /* send by packets of 1024 bytes due to a bug in libpeks */
> 111        while(m < size)
> 112        {
> 113        int e;
> 114        if((len - m - n) < size)size = len - m - n;
> (gdb) print buffer
> $2 = 0x244ff10 " <|> n_set <|> 
> 20614;17264;22025;20935;15212;16206;24162;21608;20308;21825;24145;17062;15077;22330;16735;19787;23551;18613;20572;18302;11511;11500;21207;14761;19806;20728;17022;17593;23540;20525;13584"...
> 
> I am using kernel 2.6.18-2-amd64 GNU/Linux and nessus 2.2.9.

  The strlen is not to compute the strlen of the buffer, but to compute
the strlen of the formats arguments of the vsnprinf called in
network_printf (newsflash to actually expand a %s you have to run strlen
on the arguments).

  It's pretty obvious that one of the arguments is not \0 terminated
making strlen fail. It's definitely not a libc bug.

-- 
·O·  Pierre Habouzit
··O                                                madcoder@debian.org
OOO                                                http://www.madism.org

Attachment: pgpcRQgELWNXu.pgp
Description: PGP signature