Vulnerability Development mailing list archives
Re: m4 and format strings
From: Robert van der Meulen <rvdm () cistron nl>
Date: Wed, 27 Jun 2001 17:27:03 +0200
Hi, Quoting Samy Kamkar [CommPort5] (CommPort5 () LucidX com):
[elguapo@linux elguapo]$ m4 %x,%x,%x,%x,%x,%x,%x m4: 0,bffff818,4000d2ce,805df78,8048c56,4002e0bc,4014af2c: No such file or directory can anyone think of a situation where this could cause root to be exploitated... m4 is not suid to my understanding.
Take a look at some of the threads on other security-related mailing lists; especially about the semi-recent 'man' vulnerabilities; these were based on m4 string format vulnerabilities.
Since it's not suid by default, you can't gain root from it directly. If another program (that is suid) is using it, then you might be able to depending on how it's used...also, that's assuming that format string bug is actually exploitable. It's only opening that file so I doubt you can do any exploitation with it...
Why would 'only opening the file' be a problem ?
Also, testing on my machine (fbsd) I just get: m4: %x,%x,%x,%x,%x,%x,%x: No such file or directory
man was definately vulnerable trough this. I think someone thought of some creative use of sendmail as well.. Greets, Robert -- Linux Generation encrypted mail preferred. finger rvdm () debian org for my GnuPG/PGP key. "There are two major products that come out of Berkeley: LSD and UNIX. We don't believe this to be a coincidence." -- Jeremy Anderson
Current thread:
- m4 and format strings KF (Jun 26)
- Re: m4 and format strings Jarno Huuskonen (Jun 27)
- Re: m4 and format strings Samy Kamkar [CommPort5] (Jun 27)
- Re: m4 and format strings Robert van der Meulen (Jun 27)
- Re: m4 and format strings Samy Kamkar [CommPort5] (Jun 27)
- Re: m4 and format strings KF (Jun 27)
- Re: m4 and format strings Matt Zimmerman (Jun 27)
- Re: m4 and format strings Robert van der Meulen (Jun 27)