Bugtraq mailing list archives

Re: Format String Attacks

From: Casper Dik <Casper.Dik () HOLLAND SUN COM>
Date: Fri, 15 Sep 2000 09:15:45 +0200

Note that perror() itself may perform localization on some platforms and
under some circumstances (e.g., if compiled with -lintl under Solaris).


perror() is always localized; -lintl isn't an actual library since
Solaris 2.5 when it was merged into libc.

I don't know whether it's exploitable in practice, but it appears to me
as though this wrapper could suffer, at least theoretically, from the
same weakness as the programs it's trying to protect.



That one isn't; no printf is involved in perror().
(It's gettext(strerror(errno)) written with write)


Of course, there are two other gaping holes in the wrapper, so
that point is a bit moot.

asper

Current thread:

Format String Attacks Tim Newsham (Sep 12)
- Re: Format String Attacks Iván Arce (Sep 12)
- <Possible follow-ups>
- Re: Format String Attacks Doug Hughes (Sep 13)
  - Re: Format String Attacks Dan Astoorian (Sep 14)
    - Re: Format String Attacks Casper Dik (Sep 15)
  - Re: Format String Attacks Pavel Kankovsky (Sep 14)
  - Re: Format String Attacks Dan Harkless (Sep 14)
    - Re: Format String Attacks Dan Harkless (Sep 14)
    - Re: Format String Attacks Dan Harkless (Sep 14)
    - Re: Format String Attacks Dan Harkless (Sep 15)
    - Re: Format String Attacks Dan Harkless (Sep 17)
  - Re: Format String Attacks Drazen Kacar (Sep 14)
    - Re: Format String Attacks Dan Harkless (Sep 14)
  - Re: Format String Attacks Serguei Patchkovskii (Sep 14)
- Re: Format String Attacks Rick Perry (Sep 14)

(Thread continues...)