Re: m4 and format strings

[Robert van der Meulen <rvdm () cistron nl>]

Hi,

Quoting Samy Kamkar [CommPort5] (CommPort5 () LucidX com):
> > [elguapo@linux elguapo]$ m4 %x,%x,%x,%x,%x,%x,%x
> > m4: 0,bffff818,4000d2ce,805df78,8048c56,4002e0bc,4014af2c: No such file
> > or directory
> > can anyone think of a situation where this could cause root
> > to be exploitated... m4 is not suid to my understanding.
Take a look at some of the threads on other security-related mailing lists;
especially about the semi-recent 'man' vulnerabilities; these were based on
m4 string format vulnerabilities.

> Since it's not suid by default, you can't gain root from it directly. 
> If another program (that is suid) is using it, then you might be able to
> depending on how it's used...also, that's assuming that format string
> bug is actually exploitable.  It's only opening that file so I doubt you
> can do any exploitation with it...
Why would 'only opening the file' be a problem ?

> Also, testing on my machine (fbsd) I just get:
> m4: %x,%x,%x,%x,%x,%x,%x: No such file or directory
man was definately vulnerable trough this. I think someone thought of some
creative use of sendmail as well..

Greets,
        Robert

-- 
                              Linux Generation
   encrypted mail preferred. finger rvdm () debian org for my GnuPG/PGP key.
 "There are two major products that come out of Berkeley: LSD and UNIX. We
        don't believe this to be a coincidence." -- Jeremy Anderson