Bugtraq mailing list archives
Re: [VulnWatch] Bypassing libsafe format string protection
From: Steve Beattie <steve () wirex net>
Date: Wed, 20 Mar 2002 10:24:18 -0800
On Wed, Mar 20, 2002 at 11:35:04AM +0100, Wojciech Purczynski wrote:
1. Libsafe protection against format string exploits may be easily bypassed using flag characters that are implemented in glibc but are not implemented in libsafe. 2. Libsafe *printf function wrappers incorrectly parse argument indexing in format strings. They always assume that the n-th conversion specification uses n-th argument and does not properly count real number of arguments used. Thus, arguments, whose index numbers are above the total number of conversion specifications, are not verified at all.
I'd like to point out that the Immunix FormatGuard tool (which provides a similar protection against format string attacks as libsafe) is not vulnerable to these kinds of attacks because it explicitly uses glibc's parse_printf_format() to determine the number of arguments required for a given format string -- parse_printf_format() is the same function that glibc's *printf() functions use internally to parse arguments. -- Steve Beattie Don't trust programmers? <steve () wirex net> Complete StackGuard distro at http://NxNW.org/~steve/ immunix.org http://www.personaltelco.net -- overthrowing QWest, one block at a time.
Attachment:
_bin
Description:
Current thread:
- Bypassing libsafe format string protection Wojciech Purczynski (Mar 20)
- Re: [VulnWatch] Bypassing libsafe format string protection Steve Beattie (Mar 20)