[16923] in bugtraq

home help back first fref pref prev next nref lref last post

Re: Format strings: bug #1: BSD-lpr

daemon@ATHENA.MIT.EDU (=?X-UNKNOWN?Q?Jouko_Pynn=F6nen?=)
Wed Sep 27 12:34:04 2000

Mime-Version: 1.0
Content-Type: TEXT/PLAIN; charset=iso-8859-1
Message-Id:  <Pine.LNX.4.10.10009271251040.11984-100000@enviro.solutions.fi>
Date:         Wed, 27 Sep 2000 13:23:48 +0300
Reply-To: =?X-UNKNOWN?Q?Jouko_Pynn=F6nen?= <jouko@ENVIRO.SOLUTIONS.FI>
From: =?X-UNKNOWN?Q?Jouko_Pynn=F6nen?= <jouko@ENVIRO.SOLUTIONS.FI>
X-To:         Chris Evans <chris@SCARY.BEASTS.ORG>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To:  <Pine.LNX.4.21.0009252339070.25714-100000@ferret.lmh.ox.ac.uk>
Content-Transfer-Encoding: 8bit

On Tue, 26 Sep 2000, Chris Evans wrote:

> Welcome to a short series of security bugs, all involving mistakes with
> "user supplied format strings". This class of bug is very popular on
> Bugtraq at the moment, so what an ideal time for a few examples.
> 
> BSD-lpr
> -------
> 
> If we look into
> 
> lpr/lpd/printjob.c, we can find the following two lines of code
> 
>         if ((s = checkremote()))
>                 syslog(LOG_WARNING, s);
> 
> This is a classic format string mistake.
> 
> It may not be exploitable, because the failure strings returned by
> checkremote() in lpr/common_source/common.c, do not contain much data that
> a user could control.

Correct me if I'm wrong, but in this case there is no user supplied
format string involved at all.  This is in fact a mistake with 
"administrator supplied format string". I looked at this few months ago
and came to the conclusion that to exploit this, the user should be able 
to modify /etc/printcap where the hostnames come from (ie. have root 
access), or make gethostname() return a format string, which is impossible
as well unless you already have root access.

This "bug" is certainly an example of some bad coding conventions, but it
is not exploitable under any imagineable circumstances. There have already
been, and there will be more than enough of alerts and advisories without
false alarms like this, right?



--
Jouko Pynnönen           Online Solutions Ltd       Secure your Linux -
jouko@solutions.fi                                  http://www.secmod.com
home help back first fref pref prev next nref lref last post