[16773] in bugtraq
Re: Format String Attacks
daemon@ATHENA.MIT.EDU (Dan Astoorian)
Thu Sep 14 18:09:29 2000
Message-Id: <00Sep13.132949edt.453134-2358@jane.cs.toronto.edu>
Date: Wed, 13 Sep 2000 13:29:45 -0400
Reply-To: Dan Astoorian <djast@CS.TORONTO.EDU>
From: Dan Astoorian <djast@CS.TORONTO.EDU>
X-To: Doug Hughes <Doug.Hughes@ENG.AUBURN.EDU>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: Your message of "Wed, 13 Sep 2000 11:09:58 EDT."
<200009131509.KAA09328@galen.eng.auburn.edu>
On Wed, 13 Sep 2000 11:09:58 EDT, Doug Hughes writes:
> Since I don't recall anybody else posting one, here is a simple, generic,
> setuid wrapper that people could use around, for instance, /usr/bin/eject
> or other setuid programs.
[...]
> if ((origfile = (char *) malloc(strlen(argv[0])+6)) == NULL) {
> perror("allocating memory");
> exit(1);
> }
Note that perror() itself may perform localization on some platforms and
under some circumstances (e.g., if compiled with -lintl under Solaris).
I don't know whether it's exploitable in practice, but it appears to me
as though this wrapper could suffer, at least theoretically, from the
same weakness as the programs it's trying to protect.
-- People shouldn't think that it's better to have
Dan Astoorian loved and lost than never loved at all. It's
Sysadmin, CSLab not, it's better to have loved and won. All
djast@cs.toronto.edu the other options really suck. --Dan Redican
