[24756] in bugtraq
Re: [VulnWatch] Bypassing libsafe format string protection
daemon@ATHENA.MIT.EDU (Steve Beattie)
Wed Mar 20 17:55:08 2002
Date: Wed, 20 Mar 2002 10:24:18 -0800
From: Steve Beattie <steve@wirex.net>
To: bugtraq@securityfocus.com, vulnwatch@vulnwatch.org
Cc: Wojciech Purczynski <cliph@isec.pl>, security@isec.pl,
immunix-announce@wirex.com
Message-ID: <20020320182418.GG2245@wirex.net>
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha1;
protocol="application/pgp-signature"; boundary="Wtrm9ATX0sn6fFKv"
Content-Disposition: inline
In-Reply-To: <Pine.LNX.4.44.0203201125200.14841-100000@isec.pl>
--Wtrm9ATX0sn6fFKv
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
On Wed, Mar 20, 2002 at 11:35:04AM +0100, Wojciech Purczynski wrote:
> 1.
>=20
> Libsafe protection against format string exploits may be easily bypassed
> using flag characters that are implemented in glibc but are not
> implemented in libsafe.=20
>=20
> 2.
>=20
> Libsafe *printf function wrappers incorrectly parse argument indexing in
> format strings. They always assume that the n-th conversion specification
> uses n-th argument and does not properly count real number of arguments
> used. Thus, arguments, whose index numbers are above the total number of
> conversion specifications, are not verified at all.
I'd like to point out that the Immunix FormatGuard tool (which provides
a similar protection against format string attacks as libsafe) is not
vulnerable to these kinds of attacks because it explicitly uses glibc's
parse_printf_format() to determine the number of arguments required for
a given format string -- parse_printf_format() is the same function that
glibc's *printf() functions use internally to parse arguments.
--=20
Steve Beattie Don't trust programmers?=20
<steve@wirex.net> Complete StackGuard distro at
http://NxNW.org/~steve/ immunix.org
http://www.personaltelco.net -- overthrowing QWest, one block at a time.
--Wtrm9ATX0sn6fFKv
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org
iD8DBQE8mNPRquBH+DuYavMRAnndAJ9wf1KzA05oFNd7a+1rFpg0i/Xo1QCgjIZY
iMvYrUhZ3Q6cx6+XyYJc6mo=
=xcSc
-----END PGP SIGNATURE-----
--Wtrm9ATX0sn6fFKv--
