[16921] in bugtraq
Re: Format strings: bug #1: BSD-lpr
daemon@ATHENA.MIT.EDU (Sean Winn)
Wed Sep 27 05:34:07 2000
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
Message-ID: <024d01c0277d$c0a66720$4c9409cb@labyrinth.net.au>
Date: Tue, 26 Sep 2000 16:51:02 +1100
Reply-To: Sean Winn <sean@GOTHIC.NET.AU>
From: Sean Winn <sean@GOTHIC.NET.AU>
X-To: bugtraq@securityfocus.org
To: BUGTRAQ@SECURITYFOCUS.COM
NetBSD:
if ((s = checkremote()) != NULL)
syslog(LOG_WARNING, s);
FreeBSD:
if ((s = checkremote(pp)) != 0) {
syslog(LOG_WARNING, "%s", s);
free(s);
}
}
Looking back, it appears to be fixed in this commit
(http://www.freebsd.org/cgi/cvsweb.cgi/src/usr.sbin/lpr/lpd/printjob.c.diff?
r1=1.17&r2=1.18)
Revision 1.18 / (download) - annotate - [select for diffs] , Tue Dec 2
20:45:58 1997 UTC (2 years, 9 months ago) by wollman
Branch: MAIN
Changes since 1.17: +321 -345 lines
Diff to previous 1.17
Mega lpd/lpd upgrade, part I:
- Get rid of a lot of the static variables which were shared by
many routines and programs in the suite.
- Create an abstract interface to the printcap database, so that
other retrieval and iteration mechanisms could be developed
(e.g., YP, Hesiod, or automatic retrieval from a trusted server).
- Give each capability a human-readable name in addition to the historic
two-character one.
- Otherwise generally clean up a lot of dark corners. Many still remain.
- When submitting jobs, use the official login name record (from getlogin())
if there is one, rather than reverse-mapping the uid.
More to come...
----- Original Message -----
From: "Chris Evans" <chris@SCARY.BEASTS.ORG>
To: <BUGTRAQ@SECURITYFOCUS.COM>
Sent: Tuesday, September 26, 2000 10:57 AM
Subject: Format strings: bug #1: BSD-lpr
> Hi,
>
> INTRO
> -----
>
> Welcome to a short series of security bugs, all involving mistakes with
> "user supplied format strings". This class of bug is very popular on
> Bugtraq at the moment, so what an ideal time for a few examples.
>
> BSD-lpr
> -------
>
> If we look into
>
> lpr/lpd/printjob.c, we can find the following two lines of code
>
> if ((s = checkremote()))
> syslog(LOG_WARNING, s);
>
> This is a classic format string mistake.
>
> It may not be exploitable, because the failure strings returned by
> checkremote() in lpr/common_source/common.c, do not contain much data that
> a user could control.
>
> However, it illustrates that format string bugs creep in everywhere, even
> in code that gets syslog() calls correct the majority of the time, as is
> the case with BSD-lpr.
>
> Fix
> ---
>
> OpenBSD ship BSD-lpr. Not only have they already fixed this in their CVS,
> but they also offer web indexed CVS. They caught it independently as part
> of their "format strings" audit.
>
>
http://www.openbsd.org/cgi-bin/cvsweb/src/usr.sbin/lpr/lpd/printjob.c?r1=1.1
9&r2=1.20
>
> Conclusion
> ----------
>
> The next format string bug in the series will be much more interesting.
>
> Cheers
> Chris
>
