Bugtraq mailing list archives

Re: Format strings: bug #1: BSD-lpr

From: Valdis Kletnieks <Valdis.Kletnieks () VT EDU>
Date: Wed, 27 Sep 2000 12:41:15 -0400

On Wed, 27 Sep 2000 13:23:48 +0300, =?X-UNKNOWN?Q?Jouko_Pynn=F6nen?= <jouko () ENVIRO SOLUTIONS FI>  said:

"administrator supplied format string". I looked at this few months ago
and came to the conclusion that to exploit this, the user should be able
to modify /etc/printcap where the hostnames come from (ie. have root
access), or make gethostname() return a format string, which is impossible
as well unless you already have root access.


Umm.. or if the local site has delegated a "add a new printer" capacity
to a semi-trusted user via sudo or similar..

Yes, /etc/printcap is "supposed to be" writable by root only.  However,
this doesn't excuse writing code that blindly assumes the file can't
be corrupted.  Even if it's not exploitable *now*, if in the next
release of the "Sysadmin Tools" package there's support for delegating
things like printer control to an operator (note - such support is standard
in AIX and Irix already), the resulting "brittle" software will have an
exposure.

--
                                Valdis Kletnieks
                                Operating Systems Analyst
                                Virginia Tech

Attachment: _bin
Description:

Current thread:

Format strings: bug #1: BSD-lpr Chris Evans (Sep 25)
- Re: Format strings: bug #1: BSD-lpr Kris Kennaway (Sep 27)
- Re: Format strings: bug #1: BSD-lpr Sean Winn (Sep 27)
  - Re: Format strings: bug #1: BSD-lpr Sean Winn (Sep 27)
- Re: Format strings: bug #1: BSD-lpr Jouko Pynn?nen (Sep 27)
  - Re: Format strings: bug #1: BSD-lpr Valdis Kletnieks (Sep 27)