Bugtraq mailing list archives
Re: Format strings: bug #1: BSD-lpr
From: Sean Winn <sean () GOTHIC NET AU>
Date: Wed, 27 Sep 2000 21:28:09 +1100
Just an update; this was fixed in NetBSD within the last 17 hours. http://cvsweb.netbsd.org/bsdweb.cgi/basesrc/usr.sbin/lpr/lpd/printjob.c Revision 1.24 / (download) - annotate - [select for diffs] , Tue Sep 26 17:44:38 2000 UTC (16 hours, 41 minutes ago) by itojun Branch: MAIN CVS Tags: HEAD Changes since 1.23: +3 -3 lines Diff to previous 1.23 (colored) syslog() string format hole. ----- Original Message ----- From: "Sean Winn" <sean () GOTHIC NET AU> To: <BUGTRAQ () SECURITYFOCUS COM> Sent: Tuesday, September 26, 2000 4:51 PM Subject: Re: Format strings: bug #1: BSD-lpr
NetBSD:
if ((s = checkremote()) != NULL)
syslog(LOG_WARNING, s);
FreeBSD:
if ((s = checkremote(pp)) != 0) {
syslog(LOG_WARNING, "%s", s);
free(s);
}
}
Looking back, it appears to be fixed in this commit
(http://www.freebsd.org/cgi/cvsweb.cgi/src/usr.sbin/lpr/lpd/printjob.c.diff?
r1=1.17&r2=1.18) Revision 1.18 / (download) - annotate - [select for diffs] , Tue Dec 2 20:45:58 1997 UTC (2 years, 9 months ago) by wollman Branch: MAIN Changes since 1.17: +321 -345 lines Diff to previous 1.17 Mega lpd/lpd upgrade, part I: - Get rid of a lot of the static variables which were shared by many routines and programs in the suite. - Create an abstract interface to the printcap database, so that other retrieval and iteration mechanisms could be developed (e.g., YP, Hesiod, or automatic retrieval from a trusted server). - Give each capability a human-readable name in addition to the historic two-character one. - Otherwise generally clean up a lot of dark corners. Many still remain. - When submitting jobs, use the official login name record (from
getlogin())
if there is one, rather than reverse-mapping the uid. More to come... ----- Original Message ----- From: "Chris Evans" <chris () SCARY BEASTS ORG> To: <BUGTRAQ () SECURITYFOCUS COM> Sent: Tuesday, September 26, 2000 10:57 AM Subject: Format strings: bug #1: BSD-lprHi, INTRO ----- Welcome to a short series of security bugs, all involving mistakes with "user supplied format strings". This class of bug is very popular on Bugtraq at the moment, so what an ideal time for a few examples. BSD-lpr ------- If we look into lpr/lpd/printjob.c, we can find the following two lines of code if ((s = checkremote())) syslog(LOG_WARNING, s); This is a classic format string mistake. It may not be exploitable, because the failure strings returned by checkremote() in lpr/common_source/common.c, do not contain much data
that
a user could control. However, it illustrates that format string bugs creep in everywhere,
even
in code that gets syslog() calls correct the majority of the time, as is the case with BSD-lpr. Fix --- OpenBSD ship BSD-lpr. Not only have they already fixed this in their
CVS,
but they also offer web indexed CVS. They caught it independently as
part
of their "format strings" audit.
http://www.openbsd.org/cgi-bin/cvsweb/src/usr.sbin/lpr/lpd/printjob.c?r1=1.1
9&r2=1.20Conclusion ---------- The next format string bug in the series will be much more interesting. Cheers Chris
Current thread:
- Format strings: bug #1: BSD-lpr Chris Evans (Sep 25)
- Re: Format strings: bug #1: BSD-lpr Kris Kennaway (Sep 27)
- Re: Format strings: bug #1: BSD-lpr Sean Winn (Sep 27)
- Re: Format strings: bug #1: BSD-lpr Sean Winn (Sep 27)
- Re: Format strings: bug #1: BSD-lpr Jouko Pynn?nen (Sep 27)
- Re: Format strings: bug #1: BSD-lpr Valdis Kletnieks (Sep 27)