Format String Vulnerability (Arbitrary Read/Write, possible Arbitrary Code Execution)

[carter-yagemann]

I realize this repository is no longer being actively maintained, but for those who still find the program useful, be aware that there is a serious format string vulnerability, so please carefully validate your inputs!

PoC:

$ ./dmitry "%p %p %p %p %p %p"

Deepmagic Information Gathering Tool
"There be some deep magic going on"

ERROR: Unable to locate Host IP addr. for %p %p %p %p %p %p
Continuing with limited modules
HostIP:
HostName:%p %p %p %p %p %p

Gathered Inic-whois information for 0x5598e89e9b47 (nil) (nil) 0x7ffc2f4878e0 0x7f721845de80 (nil)
[...]

A maliciously crafted input can achieve arbitrary read/write, potentially leading to arbitrary code execution.

Root Cause:

The function get_nwhois passes linebuff, which contains content from the command line, to print_line:

dmitry/src/nwhois.c

Lines 3 to 28 in 5ad492c

	int get_nwhois(char *host)
	{
	int hostn;
	char fhost[128]; /* Host with www removed */
	char linebuff[128];
	char server[64];
	int ctr;
	linetodo = 0;
	if ( strlen(outputfile) ) file_open();
	/* remove www. */
	memset(fhost, '\0', sizeof(fhost));
	if ( host[0] == 'w' && host[1] == 'w' && host[2] == 'w' && host[3] == '.'&& strlen(host) > 9 ) {
	ctr = 4;
	do {
	if ( host[ctr] != '\n' && host[ctr] != '\0' ) fhost[ctr-4] = host[ctr];
	ctr++;
	} while ( host[ctr] != '\n' && host[ctr] != '\0' );
	}
	else strcpy(fhost, host);
	/* Print introduction to function */
	memset(linebuff, '\0', sizeof(linebuff));
	snprintf(linebuff, sizeof(linebuff), "\nGathered Inic-whois information for %s\n", fhost);
	print_line(linebuff);

This eventually reaches printf as the format string argument:

dmitry/src/output.c

Lines 3 to 29 in 5ad492c

	void print_line(char *string, char *string2)
	{
	int ctr;
	int ctr2;
	char sendbuff[255];
	char timebuff[5];
	char timebuff2[5];
	struct tm *timenow;
	time_t now;
	if ( strlen(outputfile) ){
	memset(sendbuff, '\0', sizeof(sendbuff));
	ctr = 0;
	ctr2 = 0;
	do {
	if ( string[ctr] == '%' && string[ctr + 1] == 's' ){
	strcat(sendbuff, string2);
	ctr += 2;
	}
	sendbuff[strlen(sendbuff)] = string[ctr];
	ctr ++;
	} while ( string[ctr] != '\0' );
	fputs(sendbuff, wfp);
	}
	printf(string, string2);

This is a very unsafe usage of printf.