Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Re: format bugs, in addition to the wuftpd bug

From: hdm () SECUREAUSTIN COM (H D Moore)
Date: Mon, 26 Jun 2000 14:27:33 -0500

I spent some time last weekend going over a handful of
daemons/priviledged programs that I suspected had issues with formatting
characters in user-supplied data.  I will not release the names of
affected programs yet as I am waiting for thier maintainers to get back
to me, but I would like to cover a seemingly-unknown security issue with
passing user-defined fields to the syslog function:

Many daemons log bad login attempts with the usernames to syslog.  If
syslog is called with 2 arguments only and the fmt string being passed
to it contains user data, syslog will happily expand those format
strings.  This could lead to garbled log messages or even jumping to
arbitrary code.  Here is an example of the right and wrong way to log
user supplied data to syslog:

[WRONG] - soon to be disclosed daemon
syslog(priority, userdata);

[RIGHT] - OpenSSH 2.1.1p1
syslog(priority, "%.500s", userdata);

-HD

http://www.secureaustin.com/

Lamagra Argamal wrote:


Don't expect too much, but it explain it good enough.


Great reading, even if its a little short ;)
Previous By Date Next
Previous By Thread Next

Current thread: