[18850] in bugtraq
format string vulnerability in mars_nwe 0.99pl19
daemon@ATHENA.MIT.EDU (Przemyslaw Frasunek)
Mon Jan 29 03:54:43 2001
Mail-Followup-To: Przemyslaw Frasunek <venglin@freebsd.lublin.pl>,
mstover@compu-art.de, bugtraq@securityfocus.com
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Message-ID: <20010126225519.Z5964@riget.scene.pl>
Date: Fri, 26 Jan 2001 22:55:19 +0100
Reply-To: Przemyslaw Frasunek <venglin@FREEBSD.LUBLIN.PL>
From: Przemyslaw Frasunek <venglin@FREEBSD.LUBLIN.PL>
X-To: mstover@compu-art.de
To: BUGTRAQ@SECURITYFOCUS.COM
Hello,
Mars_nwe 0.99.pl19 is vulnerable to remote format string vulnerability,
allowing to gain superuser privileges from DOS/Windows workstations
attached to mars server.
Here is the patch:
--- tools.c.orig Fri Jan 26 22:46:34 2001
+++ tools.c Fri Jan 26 22:46:59 2001
@@ -189,7 +189,7 @@
sprintf(identstr, "%s %d %3d", get_debstr(0),
act_connection, act_ncpsequence);
openlog(identstr, LOG_CONS, LOG_DAEMON);
- syslog(LOG_DEBUG, buf);
+ syslog(LOG_DEBUG, "%s", buf);
closelog();
} else {
int l=strlen(buf);
@@ -249,7 +249,7 @@
}
sprintf(identstr, "%s %d %3d", get_debstr(0), act_connection, act_ncpsequence);
openlog(identstr, LOG_CONS, LOG_DAEMON);
- syslog(prio, buf);
+ syslog(prio, "%s", buf);
closelog();
if (!mode) return;
lologfile=stderr;
--
* Fido: 2:480/124 ** WWW: http://www.frasunek.com/ ** NIC-HDL: PMF9-RIPE *
* Inet: przemyslaw@frasunek.com ** PGP: D48684904685DF43EA93AFA13BE170BF *
