26th Sep 2002 [SBWID-5279]
COMMAND
	AOLServer DB Proxy Daemon Format String Vulnerability
SYSTEMS AFFECTED
	AOLServer 3.4.2, 3.4.1, 3.4, 3.3.1, 3.2.1, 3.2, 3.1, 3.0
PROBLEM
	From Guillaume  Pelat  of  INTEXXIA  [http://www.intexxia.com]  security
	advisory [ID #1052-300102] :
	AOL Server provides an API to develop external database driver proxy  daemons.
	Those daemons are linked to a library (libnspd.a).
	The Laboratory intexxia found a format  string  and  a  buffer  overflow
	vulnerability in the 'Ns_PdLog'  function  of  the  library.  Successful
	exploitation of the bug could allow an attacker to execute code and  get
	access on the system.
	As a result, all the External Driver Proxy Daemons using the  'Ns_PdLog'
	function  with  the  'Error'  or  'Notice'  parameter  are   potentially
	vulnerable.
SOLUTION
	This vulnerability has been fixed in the current version in  CVS  branch
	nsd_v3_r3_p0 (post-AOLserver 3.4.2) and can be  used  for  any  affected
	version. The patch used was created by intexxia  and  can  be  found  in
	attachment. More  information can  be found  at the  following URL :
	 
	http://cvs.sourceforge.net/cgi-bin/viewcvs.cgi/aolserver/aolserver/nspd/log.c.diff?r1=1.4&r2=1.4.6.1
	diff -dru aolserver-3.4.2/nspd/log.c aolserver-3.4.2-patched/nspd/log.c
	--- aolserver-3.4.2/nspd/log.c	Tue Aug 15 22:24:33 2000
	+++ aolserver-3.4.2-patched/nspd/log.c	Wed Jan 30 09:03:11 2002
	@@ -206,14 +206,13 @@
	             char msgbuf[4096];
	=20
	             va_start(ap, format);
	-            vsprintf(msgbuf, format, ap);
	+            vsnprintf(msgbuf, sizeof (msgbuf), format, ap);
	             va_end(ap);
	-            syslog(priority, msgbuf);
	+            syslog(priority, "%s", msgbuf);
	         }
	     }
	 }
	=20
	-=0C
	 /*
	  =
	*----------------------------------------------------------------------
	  *