[sane-devel] Bug#854804: saned: SANE_NET_CONTROL_OPTION response packet may contain memory contents of the server

Kritphong Mongkhonvanit kritphong at mongkhonvanit.tk
Sat Feb 11 17:16:04 UTC 2017


tags 854804 - moreinfo
thanks

On Sat, Feb 11, 2017 at 11:54 AM, Jörg Frings-Fürst 
<debian at jff-webhosting.net> wrote:
> tags 854804 + moreinfo
> thanks
> 
> Hello Kritphong,
> 
> thank you for spending your time helping to make Debian better with
> this bug report.
> 
> I have add the sane-devel ML as cc.
> 
> 
> Am Freitag, den 10.02.2017, 10:33 -0500 schrieb Kritphong
> Mongkhonvanit:
>>  Package: sane-utils
>>  Version: 1.0.25-3
>>  Severity: grave
>>  Tags: security upstream
>>  Justification: user security hole
>> 
>>  Dear Maintainer,
>> 
>>  When saned received a SANE_NET_CONTROL_OPTION packet with 
>> value_type ==
>>  SANE_TYPE_STRING and value_size larger than the actual length of the
>>  requested string, the response packet from the server contains a 
>> string
>>  object as long as value_size in the request. The bytes following the
>>  actual string appears to contain memory contents from the server.
>> 
> 
> Please let me explain:
> 
> You have found one or more parts in the code where a string with an
> incorrect value_size is transferred? Then please tell us where.

I found that the transferred string in the value field of 
SANE_NET_CONTROL_OPTION response packet  is always the same size as the 
one requested, even if the actual string is shorter. I assume that this 
is intentional since the string is NULL-terminated. However, the part 
beyond the NULL-terminator appears to be uninitialized memory from the 
server, which can potentially contain sensitive information. I have yet 
to locate where in SANE's source code this is happening, but I am able 
to see the uninitialized memory in Wireshark, which suggests that it 
actually comes from the server rather than from my machine.

I also have a proof-of-concept that demonstrates this if you'd like to 
take a look at it.

> 
> Or is there an other problem?
> 
> Please give us more infos and remove the tag moreinfo with your 
> answer.
> 
> 
>>  It may be possible to trigger this bug with other packet types, but 
>> I
>>  have not verified this.
>> 
>>  I have previously filed a bug in the SANE bug tracker on Alioth
>>  (#315576), but I received no response.
>> 
>> 
>>  -- System Information:
>>  Debian Release: 9.0
>>    APT prefers unstable
>>    APT policy: (500, 'unstable')
>>  Architecture: amd64 (x86_64)
>> 
>>  Kernel: Linux 4.8.0-1-amd64 (SMP w/1 CPU core)
>>  Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
>>  Shell: /bin/sh linked to /bin/dash
>>  Init: systemd (via /run/systemd/system)
>> 
>>  Versions of packages sane-utils depends on:
>>  ii  adduser                3.115
>>  ii  debconf [debconf-2.0]  1.5.60
>>  ii  init-system-helpers    1.47
>>  ii  libavahi-client3       0.6.32-2
>>  ii  libavahi-common3       0.6.32-2
>>  ii  libc6                  2.24-9
>>  ii  libieee1284-3          0.2.11-13
>>  ii  libjpeg62-turbo        1:1.5.1-2
>>  ii  libpng16-16            1.6.28-1
>>  ii  libsane                1.0.25-3
>>  ii  libsystemd0            232-6
>>  ii  libusb-1.0-0           2:1.0.21-1
>>  ii  lsb-base               9.20161125
>>  ii  update-inetd           4.44
>> 
>>  sane-utils recommends no packages.
>> 
>>  Versions of packages sane-utils suggests:
>>  ii  avahi-daemon  0.6.32-2
>>  pn  unpaper       <none>
>> 
>>  -- debconf information excluded
>> 
> 
> CU
> Jörg
> 
> --
> New:
> GPG Fingerprint: 63E0 075F C8D4 3ABB 35AB  30EE 09F8 9F3C 8CA1 D25D
> GPG key (long) : 09F89F3C8CA1D25D
> GPG Key        : 8CA1D25D
> CAcert Key S/N : 0E:D4:56
> 
> Old pgp Key: BE581B6E (revoked since 2014-12-31).
> 
> Jörg Frings-Fürst
> D-54470 Lieser
> 
> Threema: SYR8SJXB
> 
> IRC: j_f-f at freenode.net
>      j_f-f at oftc.net
> 
> My wish list:
>  - Please send me a picture from the nature at your home.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.alioth.debian.org/pipermail/sane-devel/attachments/20170212/face84db/attachment.html>


More information about the sane-devel mailing list