[15531] in bugtraq
Re: format bugs, in addition to the wuftpd bug
daemon@ATHENA.MIT.EDU (Chris Evans)
Wed Jun 28 18:54:38 2000
Mime-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Message-Id: <Pine.LNX.4.21.0006280052490.28532-100000@ferret.lmh.ox.ac.uk>
Date: Wed, 28 Jun 2000 01:38:03 +0100
Reply-To: Chris Evans <chris@FERRET.LMH.OX.AC.UK>
From: Chris Evans <chris@FERRET.LMH.OX.AC.UK>
To: BUGTRAQ@SECURITYFOCUS.COM
H D Moore wrote:
> I spent some time last weekend going over a handful of
> daemons/priviledged programs that I suspected had issues with formatting
> characters in user-supplied data. I will not release the names of
> affected programs yet as I am waiting for thier maintainers to get back
> to me, but I would like to cover a seemingly-unknown security issue with
> passing user-defined fields to the syslog function:
Bugtraq is a full disclosure mailing list; why not mention the daemons.
All your message will achieve is that all the Black Hats have reached for
"grep".
Based on your assertion that such flaws exist, I consider the following
"obvious" to find, so I have no problems with posting it here
From sources on my RedHat Linux 6.1 machine:
gdm:
daemon/misc.c: lots of "syslog (LOG_ERR, s)"
gui/{gdmchooser,gdmlogin}.c: similar flaws
rpc.statd:
statd/log.c: syslog(level, buffer)
I look forward to your final report - I bet this issue is widespread. I
also bet we're still discovering these flaws in a few years time, just
like we are with buffer overflows now :-(
Cheers
Chris
