Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Re: proftp advisory

From: drow () FALSE ORG (Daniel Jacobowitz)
Date: Wed, 5 Jul 2000 15:27:27 -0700

On Mon, Jul 03, 2000 at 12:40:54PM +0200, lamagra wrote:

Bug1:
  void set_proc_title(char *fmt,...) in src/main.c

  <snippet>
  memset(statbuf, 0, sizeof(statbuf));
  vsnprintf(statbuf, sizeof(statbuf), fmt, msg);

  #ifdef HAVE_SETPROCTITLE
      setproctitle(statbuf);
  #endif /* HAVE_SETPROCTITLE */
  </snippet>

  setproctitle, defined setproctitle(char *fmt,...);, calls vsnprintf().
  This makes it vulnerable for formatattacks. By carefully outlining the
  attackbuffer it's possible to gain root priviledges.

  Fix: use setproctitle("%s",statbuf);


Note that this is a problem only if you have a setproctitle() in libc
(or libutil).  Linux does not (glibc 2.x), and I don't believe Solaris
does either.

Dan

/--------------------------------\  /--------------------------------\
|       Daniel Jacobowitz        |__|        SCS Class of 2002       |
|   Debian GNU/Linux Developer    __    Carnegie Mellon University   |
|         dan () debian org         |  |       dmj+ () andrew cmu edu      |
\--------------------------------/  \--------------------------------/

<HR NOSHADE>
<UL>
<LI>application/pgp-signature attachment: stored
</UL>
Previous By Date Next
Previous By Thread Next

Current thread: