Re: gnu-less Format String Vulnerability

[Serkan Akpolat <sakpolat () gmx net>]

Tim wrote:
> > +-----[ Description ]-----+
> >
> > Format string vulnerability.
> >
> >
> > +-----[ Vulnerable Code ]-----+
> > From less-382:
> >
> > [filename.c] : 787
> >
> >    public char *
> > open_altfile(filename, pf, pfd)
> >    char *filename;
> >    int *pf;
> >    void **pfd;
> > {
> >    ...................
> >    if ((lessopen = lgetenv("LESSOPEN")) == NULL
> >    ...................
> >    sprintf(cmd, lessopen, filename); <-- Format String Problem Here
> >    ...................
> >
> > }
>
>
>
> I am sorry, I fail to see how this is a vulnerability.
>
> If you have control of LESSOPEN, you already have shell, since, from the
> man page:
>
> "An input preprocessor is simply an executable program (or shell
> script), which writes the  contents of the file to a different file,
> called the replacement file.
> ...
> To  set  up  an input  preprocessor, set the LESSOPEN environment
> variable to a command line which will invoke your  input  preprocessor."
>
>
> Perhaps it would be better written if the LESSOPEN parser only allowed
> %s to work, as advertized, and not the other sprintf codes, but it
> really isn't a security issue (unless I am totally missing something).
> If you are really worried about it, add the -L option when running less,
> and it will ignore LESSOPEN.
>
> cheers,
> tim

Yes , thank you for correction.
It is a bug not a vulnerability.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html