[16906] in bugtraq
Format strings: bugs #3 & #4: ISC-dhcpd, ucd-snmp
daemon@ATHENA.MIT.EDU (Chris Evans)
Tue Sep 26 01:33:25 2000
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Message-ID: <Pine.LNX.4.21.0009260027190.25714-100000@ferret.lmh.ox.ac.uk>
Date: Tue, 26 Sep 2000 00:58:12 +0100
Reply-To: Chris Evans <chris@SCARY.BEASTS.ORG>
From: Chris Evans <chris@SCARY.BEASTS.ORG>
To: BUGTRAQ@SECURITYFOCUS.COM
Hi,
SUMMARY
-------
More format string bugs. Exploitability on these has not really been
researched. Current feeling is "maybe exploitable under certain
circumstances/configurations".
An in-depth discussion is not required. Here are the locations of the code
flaws:
---
[root@localhost dhcp-2.0]# pwd
/usr/src/redhat/BUILD/dhcp-2.0
[root@localhost dhcp-2.0]# find . -name \*.c | xargs grep syslog |less
./client/dhclient.c: /* Initially, log errors to stderr as well as to
syslogd. */
./common/errwarn.c: syslog (log_priority | LOG_ERR, mbuf);
./common/errwarn.c: syslog (LOG_CRIT, "exiting.");
./common/errwarn.c: syslog (log_priority | LOG_ERR, mbuf);
./common/errwarn.c: syslog (log_priority | LOG_INFO, mbuf);
./common/errwarn.c: syslog (log_priority | LOG_DEBUG, mbuf);
./common/errwarn.c: syslog (log_priority | LOG_ERR, mbuf);
./common/errwarn.c: syslog (log_priority | LOG_ERR, token_line);
./common/errwarn.c: syslog (log_priority | LOG_ERR,
./relay/dhcrelay.c: /* Initially, log errors to stderr as well as to
syslogd. */
./server/dhcpd.c: /* Initially, log errors to stderr as well as to
syslogd. */
[root@localhost dhcp-2.0]#
---
ucd-snmp-4.1.2/snmplib/snmp_logging.c
snmp_log_string()
~line 183
...
if (do_syslogging) {
syslog(priority, string);
}
...
---
Cheers
Chris
