Full Disclosure mailing list archives
Re: gnu-less Format String Vulnerability
From: Serkan Akpolat <sakpolat () gmx net>
Date: Wed, 18 Aug 2004 21:08:54 +0300
Tim wrote:
+-----[ Description ]-----+ Format string vulnerability. +-----[ Vulnerable Code ]-----+ From less-382: [filename.c] : 787 public char * open_altfile(filename, pf, pfd) char *filename; int *pf; void **pfd; { ................... if ((lessopen = lgetenv("LESSOPEN")) == NULL ................... sprintf(cmd, lessopen, filename); <-- Format String Problem Here ................... }I am sorry, I fail to see how this is a vulnerability. If you have control of LESSOPEN, you already have shell, since, from the man page: "An input preprocessor is simply an executable program (or shell script), which writes the contents of the file to a different file, called the replacement file. ... To set up an input preprocessor, set the LESSOPEN environment variable to a command line which will invoke your input preprocessor." Perhaps it would be better written if the LESSOPEN parser only allowed %s to work, as advertized, and not the other sprintf codes, but it really isn't a security issue (unless I am totally missing something). If you are really worried about it, add the -L option when running less, and it will ignore LESSOPEN. cheers, tim
Yes , thank you for correction. It is a bug not a vulnerability. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- gnu-less Format String Vulnerability Serkan Akpolat (Aug 18)
- Re: gnu-less Format String Vulnerability Tim (Aug 18)
- Re: gnu-less Format String Vulnerability Serkan Akpolat (Aug 18)
- Re: gnu-less Format String Vulnerability Tim (Aug 18)