[16925] in bugtraq
Re: Format strings: bug #1: BSD-lpr
daemon@ATHENA.MIT.EDU (Sean Winn)
Wed Sep 27 13:00:44 2000
Mime-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
Message-Id: <000c01c0286d$a22e8d40$1d48b6ca@mysterious>
Date: Wed, 27 Sep 2000 21:28:09 +1100
Reply-To: Sean Winn <sean@GOTHIC.NET.AU>
From: Sean Winn <sean@GOTHIC.NET.AU>
To: BUGTRAQ@SECURITYFOCUS.COM
Just an update; this was fixed in NetBSD within the last 17 hours.
http://cvsweb.netbsd.org/bsdweb.cgi/basesrc/usr.sbin/lpr/lpd/printjob.c
Revision 1.24 / (download) - annotate - [select for diffs] , Tue Sep 26
17:44:38 2000 UTC (16 hours, 41 minutes ago) by itojun
Branch: MAIN
CVS Tags: HEAD
Changes since 1.23: +3 -3 lines
Diff to previous 1.23 (colored)
syslog() string format hole.
----- Original Message -----
From: "Sean Winn" <sean@GOTHIC.NET.AU>
To: <BUGTRAQ@SECURITYFOCUS.COM>
Sent: Tuesday, September 26, 2000 4:51 PM
Subject: Re: Format strings: bug #1: BSD-lpr
> NetBSD:
>
> if ((s = checkremote()) != NULL)
> syslog(LOG_WARNING, s);
>
>
> FreeBSD:
>
> if ((s = checkremote(pp)) != 0) {
> syslog(LOG_WARNING, "%s", s);
> free(s);
> }
> }
>
>
> Looking back, it appears to be fixed in this commit
>
(http://www.freebsd.org/cgi/cvsweb.cgi/src/usr.sbin/lpr/lpd/printjob.c.diff?
> r1=1.17&r2=1.18)
>
> Revision 1.18 / (download) - annotate - [select for diffs] , Tue Dec 2
> 20:45:58 1997 UTC (2 years, 9 months ago) by wollman
> Branch: MAIN
> Changes since 1.17: +321 -345 lines
> Diff to previous 1.17
> Mega lpd/lpd upgrade, part I:
>
> - Get rid of a lot of the static variables which were shared by
> many routines and programs in the suite.
> - Create an abstract interface to the printcap database, so that
> other retrieval and iteration mechanisms could be developed
> (e.g., YP, Hesiod, or automatic retrieval from a trusted server).
> - Give each capability a human-readable name in addition to the historic
> two-character one.
> - Otherwise generally clean up a lot of dark corners. Many still remain.
> - When submitting jobs, use the official login name record (from
getlogin())
> if there is one, rather than reverse-mapping the uid.
>
> More to come...
>
>
>
> ----- Original Message -----
> From: "Chris Evans" <chris@SCARY.BEASTS.ORG>
> To: <BUGTRAQ@SECURITYFOCUS.COM>
> Sent: Tuesday, September 26, 2000 10:57 AM
> Subject: Format strings: bug #1: BSD-lpr
>
>
> > Hi,
> >
> > INTRO
> > -----
> >
> > Welcome to a short series of security bugs, all involving mistakes with
> > "user supplied format strings". This class of bug is very popular on
> > Bugtraq at the moment, so what an ideal time for a few examples.
> >
> > BSD-lpr
> > -------
> >
> > If we look into
> >
> > lpr/lpd/printjob.c, we can find the following two lines of code
> >
> > if ((s = checkremote()))
> > syslog(LOG_WARNING, s);
> >
> > This is a classic format string mistake.
> >
> > It may not be exploitable, because the failure strings returned by
> > checkremote() in lpr/common_source/common.c, do not contain much data
that
> > a user could control.
> >
> > However, it illustrates that format string bugs creep in everywhere,
even
> > in code that gets syslog() calls correct the majority of the time, as is
> > the case with BSD-lpr.
> >
> > Fix
> > ---
> >
> > OpenBSD ship BSD-lpr. Not only have they already fixed this in their
CVS,
> > but they also offer web indexed CVS. They caught it independently as
part
> > of their "format strings" audit.
> >
> >
>
http://www.openbsd.org/cgi-bin/cvsweb/src/usr.sbin/lpr/lpd/printjob.c?r1=1.1
> 9&r2=1.20
> >
> > Conclusion
> > ----------
> >
> > The next format string bug in the series will be much more interesting.
> >
> > Cheers
> > Chris
> >
>
