Bugtraq mailing list archives
Re: format bugs, in addition to the wuftpd bug
From: hdm () SECUREAUSTIN COM (H D Moore)
Date: Mon, 26 Jun 2000 14:27:33 -0500
I spent some time last weekend going over a handful of daemons/priviledged programs that I suspected had issues with formatting characters in user-supplied data. I will not release the names of affected programs yet as I am waiting for thier maintainers to get back to me, but I would like to cover a seemingly-unknown security issue with passing user-defined fields to the syslog function: Many daemons log bad login attempts with the usernames to syslog. If syslog is called with 2 arguments only and the fmt string being passed to it contains user data, syslog will happily expand those format strings. This could lead to garbled log messages or even jumping to arbitrary code. Here is an example of the right and wrong way to log user supplied data to syslog: [WRONG] - soon to be disclosed daemon syslog(priority, userdata); [RIGHT] - OpenSSH 2.1.1p1 syslog(priority, "%.500s", userdata); -HD http://www.secureaustin.com/ Lamagra Argamal wrote:
Don't expect too much, but it explain it good enough.
Great reading, even if its a little short ;)
Current thread:
- Sendmail 8.10.2, Linux 2.4.0 - capabilities Valdis Kletnieks (Jun 08)
- Re: Sendmail 8.10.2, Linux 2.4.0 - capabilities Kyle Sparger (Jun 08)
- Re: Sendmail 8.10.2, Linux 2.4.0 - capabilities xdr (Jun 09)
- format bugs, in addition to the wuftpd bug Lamagra Argamal (Jun 24)
- Re: format bugs, in addition to the wuftpd bug H D Moore (Jun 26)
- iMesh 1.02 vulnerability Blue Panda (Jun 29)
- Re: format bugs, in addition to the wuftpd bug Jason Axley (Jun 29)
- Concerning the LDAP Enabled Netscape FTP Server Alfred Huger (Jun 27)
- Glftpd privpath bugs... +fix Raymond Dijkxhoorn (Jun 26)
- Re: Glftpd privpath bugs... +fix Scott (Jun 27)
- Re: Sendmail 8.10.2, Linux 2.4.0 - capabilities Kyle Sparger (Jun 08)
- CONECTIVA LINUX SECURITY ANNOUNCEMENT - kernel Sergio Bruder (Jun 08)
- Sendmail & procmail local root exploits on Linux kernel up to 2.2.16pre5 Wojciech Purczynski (Jun 08)
- OpenSSH's UseLogin option allows remote access with root privilege. Markus Friedl (Jun 09)
- Re: OpenSSH's UseLogin option allows remote access with root privilege. Bernhard Rosenkraenzer (Jun 10)
- Re: OpenSSH's UseLogin option allows remote access with root privilege. Phil Stracchino (Jun 10)
- Re: OpenSSH's UseLogin option allows remote access with root privilege. Bernhard Rosenkraenzer (Jun 10)