Bugtraq mailing list archives
Re: Format strings: bug #1: BSD-lpr
From: Valdis Kletnieks <Valdis.Kletnieks () VT EDU>
Date: Wed, 27 Sep 2000 12:41:15 -0400
On Wed, 27 Sep 2000 13:23:48 +0300, =?X-UNKNOWN?Q?Jouko_Pynn=F6nen?= <jouko () ENVIRO SOLUTIONS FI> said:
"administrator supplied format string". I looked at this few months ago and came to the conclusion that to exploit this, the user should be able to modify /etc/printcap where the hostnames come from (ie. have root access), or make gethostname() return a format string, which is impossible as well unless you already have root access.
Umm.. or if the local site has delegated a "add a new printer" capacity to a semi-trusted user via sudo or similar.. Yes, /etc/printcap is "supposed to be" writable by root only. However, this doesn't excuse writing code that blindly assumes the file can't be corrupted. Even if it's not exploitable *now*, if in the next release of the "Sysadmin Tools" package there's support for delegating things like printer control to an operator (note - such support is standard in AIX and Irix already), the resulting "brittle" software will have an exposure. -- Valdis Kletnieks Operating Systems Analyst Virginia Tech
Attachment:
_bin
Description:
Current thread:
- Format strings: bug #1: BSD-lpr Chris Evans (Sep 25)
- Re: Format strings: bug #1: BSD-lpr Kris Kennaway (Sep 27)
- Re: Format strings: bug #1: BSD-lpr Sean Winn (Sep 27)
- Re: Format strings: bug #1: BSD-lpr Sean Winn (Sep 27)
- Re: Format strings: bug #1: BSD-lpr Jouko Pynn?nen (Sep 27)
- Re: Format strings: bug #1: BSD-lpr Valdis Kletnieks (Sep 27)