[15663] in bugtraq
Re: proftp advisory
daemon@ATHENA.MIT.EDU (Daniel Jacobowitz)
Thu Jul 6 15:19:51 2000
Mail-Followup-To: Daniel Jacobowitz <drow@false.org>, BUGTRAQ@SECURITYFOCUS.COM
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha1;
protocol="application/pgp-signature"; boundary="fdj2RfSjLxBAspz7"
Content-Disposition: inline
Message-Id: <20000705152726.A19382@drow.them.org>
Date: Wed, 5 Jul 2000 15:27:27 -0700
Reply-To: Daniel Jacobowitz <drow@FALSE.ORG>
From: Daniel Jacobowitz <drow@FALSE.ORG>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <20000703103846.9733E1EE88@lists.securityfocus.com>; from
lamagra@digibel.org on Mon, Jul 03, 2000 at 12:40:54PM +0200
--fdj2RfSjLxBAspz7
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
On Mon, Jul 03, 2000 at 12:40:54PM +0200, lamagra wrote:
> Bug1:
> void set_proc_title(char *fmt,...) in src/main.c
>=20
> <snippet>
> memset(statbuf, 0, sizeof(statbuf));
> vsnprintf(statbuf, sizeof(statbuf), fmt, msg);
>=20
> #ifdef HAVE_SETPROCTITLE
> setproctitle(statbuf);
> #endif /* HAVE_SETPROCTITLE */
> </snippet>
>=20
> setproctitle, defined setproctitle(char *fmt,...);, calls vsnprintf().
> This makes it vulnerable for formatattacks. By carefully outlining the
> attackbuffer it's possible to gain root priviledges.
>=20
> Fix: use setproctitle("%s",statbuf);
Note that this is a problem only if you have a setproctitle() in libc
(or libutil). Linux does not (glibc 2.x), and I don't believe Solaris
does either.
Dan
/--------------------------------\ /--------------------------------\
| Daniel Jacobowitz |__| SCS Class of 2002 |
| Debian GNU/Linux Developer __ Carnegie Mellon University |
| dan@debian.org | | dmj+@andrew.cmu.edu |
\--------------------------------/ \--------------------------------/
--fdj2RfSjLxBAspz7
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.1 (GNU/Linux)
Comment: For info see http://www.gnupg.org
iD8DBQE5Y7ZObgOPXuCjg3cRAkkhAJ9iXmfn+0kDNN1Wy7BZN0X7/I87zgCfWAwG
8NzUmRevlcCOC2I5YvXumys=
=mtaa
-----END PGP SIGNATURE-----
--fdj2RfSjLxBAspz7--
