Bugtraq mailing list archives
Re: format bugs, in addition to the wuftpd bug
From: jason.axley () ATTWS COM (Jason Axley)
Date: Thu, 29 Jun 2000 08:29:44 -0700
I think that these bugs are symptoms of a larger issue: trusting program input implicitly. Do these programs ensure that they sanity-check and filter user-controllable data before they use it? Those are bugs too! If not, these programs are due for all kinds of other mischief in the future. Sanity checking won't catch all of these formatting bugs since for some user-controllable data, it could be perfectly legitimate to find formatting strings inside. They are, however, the way to catch many other unforseen bugs. A combination of filtering and explicit formatting strings is a more complete solution. -Jason On Mon, 26 Jun 2000, H D Moore wrote:
Date: Mon, 26 Jun 2000 14:27:33 -0500 From: H D Moore <hdm () SECUREAUSTIN COM> To: BUGTRAQ () SECURITYFOCUS COM Subject: Re: [BUGTRAQ] format bugs, in addition to the wuftpd bug I spent some time last weekend going over a handful of daemons/priviledged programs that I suspected had issues with formatting characters in user-supplied data. I will not release the names of affected programs yet as I am waiting for thier maintainers to get back to me, but I would like to cover a seemingly-unknown security issue with passing user-defined fields to the syslog function: Many daemons log bad login attempts with the usernames to syslog. If syslog is called with 2 arguments only and the fmt string being passed to it contains user data, syslog will happily expand those format strings. This could lead to garbled log messages or even jumping to arbitrary code. Here is an example of the right and wrong way to log user supplied data to syslog: [WRONG] - soon to be disclosed daemon syslog(priority, userdata); [RIGHT] - OpenSSH 2.1.1p1 syslog(priority, "%.500s", userdata); -HD http://www.secureaustin.com/ Lamagra Argamal wrote:Don't expect too much, but it explain it good enough.Great reading, even if its a little short ;)
-- AT&T Wireless Services IT Security UNIX Security Operations Specialist
Current thread:
- Sendmail 8.10.2, Linux 2.4.0 - capabilities Valdis Kletnieks (Jun 08)
- Re: Sendmail 8.10.2, Linux 2.4.0 - capabilities Kyle Sparger (Jun 08)
- Re: Sendmail 8.10.2, Linux 2.4.0 - capabilities xdr (Jun 09)
- format bugs, in addition to the wuftpd bug Lamagra Argamal (Jun 24)
- Re: format bugs, in addition to the wuftpd bug H D Moore (Jun 26)
- iMesh 1.02 vulnerability Blue Panda (Jun 29)
- Re: format bugs, in addition to the wuftpd bug Jason Axley (Jun 29)
- Concerning the LDAP Enabled Netscape FTP Server Alfred Huger (Jun 27)
- Glftpd privpath bugs... +fix Raymond Dijkxhoorn (Jun 26)
- Re: Glftpd privpath bugs... +fix Scott (Jun 27)
- Re: Sendmail 8.10.2, Linux 2.4.0 - capabilities Kyle Sparger (Jun 08)
- CONECTIVA LINUX SECURITY ANNOUNCEMENT - kernel Sergio Bruder (Jun 08)
- Sendmail & procmail local root exploits on Linux kernel up to 2.2.16pre5 Wojciech Purczynski (Jun 08)
- OpenSSH's UseLogin option allows remote access with root privilege. Markus Friedl (Jun 09)
- Re: OpenSSH's UseLogin option allows remote access with root privilege. Bernhard Rosenkraenzer (Jun 10)
- Re: OpenSSH's UseLogin option allows remote access with root privilege. Phil Stracchino (Jun 10)
- IBM WebSphere JSP showcode vulnerability stuart.mcclure () FOUNDSTONE COM (Jun 11)
- Re: OpenSSH's UseLogin option allows remote access with root privilege. Markus Friedl (Jun 12)
- Re: OpenSSH's UseLogin option allows remote access with root privilege. Bernhard Rosenkraenzer (Jun 10)