Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Vulnerability in Linux Kiss Server v1.2

From: "David Judais" <david.judais () googlemail com>
Date: Wed, 5 Mar 2008 16:29:53 -0500
Why isn't there a patch?


From: vashnukad () vashnukad com


Site: http://www.vashnukad.com

Application: Linux Kiss Server v1.2

Type: Format strings

Priority: Medium

Patch available: No


The Linux Kiss Server contains a format strings vulnerability that, if run
in foreground mode, can be leveraged for access. The vulnerability is
demonstrated in the code below:

            Function log_message():

                  if(background_mode == 0)

                  {

                    if(type == 'l')

                      fprintf(stdout,log_msg);


                    if(type == 'e')

                      fprintf(stderr,log_msg);

                    free(log_msg);

                  }




            Function kiss_parse_cmd():



                  /* check full command name */

                  if (strncmp(cmd, buf, cmd_len))

                      {

                         asprintf(&log_msg,"unknow command: `%s'", buf);

                         log_message(log_msg,'e');

                         goto error;

                      }

                  buf += cmd_len;



So putting something like %n%n%n in 'buf' you can trigger the vulnerability.


-- 

Name: Vashnukad

E-mail: vashnukad () vashnukad com

Site: http://www.vashnukad.com




-- 

Name: Vashnukad

e-mail: vashnukad () vashnukad com

Site: http://www.vashnukad.com

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Previous By Date Next
Previous By Thread Next

Current thread: