[19819] in bugtraq
another format string bug
daemon@ATHENA.MIT.EDU (Wojtek Pawlikowski)
Fri Mar 23 18:10:58 2001
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Message-ID: <Pine.LNX.4.30.0103231617050.15259-100000@heaven.liderlink.net>
Date: Fri, 23 Mar 2001 16:38:19 +0100
Reply-To: Wojtek Pawlikowski <vvega@LIDERLINK.NET>
From: Wojtek Pawlikowski <vvega@LIDERLINK.NET>
To: BUGTRAQ@SECURITYFOCUS.COM
There is a format string bug in 'pwc' (ftp://ftp.media-com.com.pl/pub/other/pwc.tar.gz).
This CGI script is used to change users password via www (blah!).
writelog() call syslog() function, which 'eats' ;) characters and log it
to system logs. But you can paste shellcode into buffers[512] and syslog()
will run it without any problems.
void writelog(const char *fmt, ...)
{
va_list args;
char buffers[512];
va_start(args, fmt);
openlog(SERVICENAME, LOG_PID | LOG_CONS | LOG_NOWAIT | LOG_AUTH);
vsnprintf(buffer, 512, fmt, args);
syslog(LOG_ERR, buffer); <- bug :)
closelog();
return;
va_end(args);
}
As you can see this is potential security bug.
Patch:
change
syslog(LOG_ERR, buffer);
to
syslog(LOG_ERR, "%s", buffer);
greetz: #sigsegv, #phreakpl, #argante
-------------------------------------------------------------------
Wojtek Pawlikowski <wojtek@liderlink.net> Linux / BSD Administrator
Cell 0608521666 || Registered Linux User 198985 || Have a nice trip
