Bugtraq mailing list archives

Re: format bugs, in addition to the wuftpd bug

From: jason.axley () ATTWS COM (Jason Axley)
Date: Thu, 29 Jun 2000 08:29:44 -0700


I think that these bugs are symptoms of a larger issue:  trusting program
input implicitly.  Do these programs ensure that they sanity-check and
filter user-controllable data before they use it?  Those are bugs
too!  If not, these programs are due for all kinds of other mischief
in the future.  Sanity checking won't catch all of these formatting bugs
since for some user-controllable data, it could be perfectly legitimate to
find formatting strings inside.  They are, however, the way to catch many
other unforseen bugs.

A combination of filtering and explicit formatting strings is a more
complete solution.

-Jason

On Mon, 26 Jun 2000, H D Moore wrote:

Date: Mon, 26 Jun 2000 14:27:33 -0500
From: H D Moore <hdm () SECUREAUSTIN COM>
To: BUGTRAQ () SECURITYFOCUS COM
Subject: Re: [BUGTRAQ] format bugs, in addition to the wuftpd bug

I spent some time last weekend going over a handful of
daemons/priviledged programs that I suspected had issues with formatting
characters in user-supplied data.  I will not release the names of
affected programs yet as I am waiting for thier maintainers to get back
to me, but I would like to cover a seemingly-unknown security issue with
passing user-defined fields to the syslog function:

Many daemons log bad login attempts with the usernames to syslog.  If
syslog is called with 2 arguments only and the fmt string being passed
to it contains user data, syslog will happily expand those format
strings.  This could lead to garbled log messages or even jumping to
arbitrary code.  Here is an example of the right and wrong way to log
user supplied data to syslog:

[WRONG] - soon to be disclosed daemon
syslog(priority, userdata);

[RIGHT] - OpenSSH 2.1.1p1
syslog(priority, "%.500s", userdata);

-HD

http://www.secureaustin.com/

Lamagra Argamal wrote:

Don't expect too much, but it explain it good enough.


Great reading, even if its a little short ;)


--

AT&T Wireless Services
IT Security
UNIX Security Operations Specialist

Current thread:

Sendmail 8.10.2, Linux 2.4.0 - capabilities Valdis Kletnieks (Jun 08)
- Re: Sendmail 8.10.2, Linux 2.4.0 - capabilities Kyle Sparger (Jun 08)
  - Re: Sendmail 8.10.2, Linux 2.4.0 - capabilities xdr (Jun 09)
  - format bugs, in addition to the wuftpd bug Lamagra Argamal (Jun 24)
    - Re: format bugs, in addition to the wuftpd bug H D Moore (Jun 26)
    - iMesh 1.02 vulnerability Blue Panda (Jun 29)
    - Re: format bugs, in addition to the wuftpd bug Jason Axley (Jun 29)
    - Concerning the LDAP Enabled Netscape FTP Server Alfred Huger (Jun 27)
  - Glftpd privpath bugs... +fix Raymond Dijkxhoorn (Jun 26)
    - Re: Glftpd privpath bugs... +fix Scott (Jun 27)
- CONECTIVA LINUX SECURITY ANNOUNCEMENT - kernel Sergio Bruder (Jun 08)
- Sendmail & procmail local root exploits on Linux kernel up to 2.2.16pre5 Wojciech Purczynski (Jun 08)
- OpenSSH's UseLogin option allows remote access with root privilege. Markus Friedl (Jun 09)
  - Re: OpenSSH's UseLogin option allows remote access with root privilege. Bernhard Rosenkraenzer (Jun 10)
    - Re: OpenSSH's UseLogin option allows remote access with root privilege. Phil Stracchino (Jun 10)
    - IBM WebSphere JSP showcode vulnerability stuart.mcclure () FOUNDSTONE COM (Jun 11)
    - Re: OpenSSH's UseLogin option allows remote access with root privilege. Markus Friedl (Jun 12)

(Thread continues...)