[16934] in bugtraq
Re: Format strings: bug #1: BSD-lpr
daemon@ATHENA.MIT.EDU (Valdis Kletnieks)
Wed Sep 27 14:20:45 2000
Mime-Version: 1.0
Content-Type: multipart/signed; boundary="==_Exmh_598163040P"; micalg=pgp-sha1;
protocol="application/pgp-signature"
Content-Transfer-Encoding: 7bit
Message-Id: <200009271641.e8RGfFh18834@black-ice.cc.vt.edu>
Date: Wed, 27 Sep 2000 12:41:15 -0400
Reply-To: Valdis.Kletnieks@VT.EDU
From: Valdis Kletnieks <Valdis.Kletnieks@VT.EDU>
X-To: Jouko Pynnvnen <jouko@ENVIRO.SOLUTIONS.FI>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: Your message of "Wed, 27 Sep 2000 13:23:48 +0300."
<Pine.LNX.4.10.10009271251040.11984-100000@enviro.solutions.fi>
--==_Exmh_598163040P
Content-Type: text/plain; charset=us-ascii
On Wed, 27 Sep 2000 13:23:48 +0300, =?X-UNKNOWN?Q?Jouko_Pynn=F6nen?= <jouko@ENVIRO.SOLUTIONS.FI> said:
> "administrator supplied format string". I looked at this few months ago
> and came to the conclusion that to exploit this, the user should be able
> to modify /etc/printcap where the hostnames come from (ie. have root
> access), or make gethostname() return a format string, which is impossible
> as well unless you already have root access.
Umm.. or if the local site has delegated a "add a new printer" capacity
to a semi-trusted user via sudo or similar..
Yes, /etc/printcap is "supposed to be" writable by root only. However,
this doesn't excuse writing code that blindly assumes the file can't
be corrupted. Even if it's not exploitable *now*, if in the next
release of the "Sysadmin Tools" package there's support for delegating
things like printer control to an operator (note - such support is standard
in AIX and Irix already), the resulting "brittle" software will have an
exposure.
--
Valdis Kletnieks
Operating Systems Analyst
Virginia Tech
--==_Exmh_598163040P
Content-Type: application/pgp-signature
-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.8
Comment: Exmh version 2.2 06/16/2000
iQA/AwUBOdIjK3At5Vm009ewEQLRjQCgoeybgENYPraelqTIz6Q2U1DfEXwAnjZe
Ssm+bnPDB0DDAdPYmzr4pOvd
=Zrw7
-----END PGP SIGNATURE-----
--==_Exmh_598163040P--
