Bugtraq mailing list archives
Re: Format String Attacks
From: Casper Dik <Casper.Dik () HOLLAND SUN COM>
Date: Fri, 15 Sep 2000 09:15:45 +0200
Note that perror() itself may perform localization on some platforms and under some circumstances (e.g., if compiled with -lintl under Solaris).
perror() is always localized; -lintl isn't an actual library since Solaris 2.5 when it was merged into libc.
I don't know whether it's exploitable in practice, but it appears to me as though this wrapper could suffer, at least theoretically, from the same weakness as the programs it's trying to protect.
That one isn't; no printf is involved in perror(). (It's gettext(strerror(errno)) written with write) Of course, there are two other gaping holes in the wrapper, so that point is a bit moot. asper
Current thread:
- Format String Attacks Tim Newsham (Sep 12)
- Re: Format String Attacks Iván Arce (Sep 12)
- <Possible follow-ups>
- Re: Format String Attacks Doug Hughes (Sep 13)
- Re: Format String Attacks Dan Astoorian (Sep 14)
- Re: Format String Attacks Casper Dik (Sep 15)
- Re: Format String Attacks Pavel Kankovsky (Sep 14)
- Re: Format String Attacks Dan Harkless (Sep 14)
- Re: Format String Attacks Dan Harkless (Sep 14)
- Re: Format String Attacks Dan Harkless (Sep 14)
- Re: Format String Attacks Dan Harkless (Sep 15)
- Re: Format String Attacks Dan Harkless (Sep 17)
- Re: Format String Attacks Dan Astoorian (Sep 14)
- Re: Format String Attacks Drazen Kacar (Sep 14)
- Re: Format String Attacks Dan Harkless (Sep 14)
- Re: Format String Attacks Serguei Patchkovskii (Sep 14)