Vulnerability Development mailing list archives
Re: Unreal ircd Format String Vuln
From: Syzop <syz () dds nl>
Date: Tue, 26 Feb 2002 04:07:21 +0100
Hi, "Gabriel A. Maggiotti" wrote:
Unreal3.1.1 has a format string vuln in Cio_PrintF(...) function. This function is in /src/cio_main.c file Piece of code: va_start(argptr, InBuf); Len = vsprintf(Buffer, InBuf, argptr); va_end(argptr); The problem is with InBuf, if %p.%p.%p.%n is written in InBuf a segfault is produced, the program crashes when it tries to copy the value of eax to the address of edx.
Are you talking about: BOOL Cio_PrintF(HWND hWnd, char *InBuf, ...) { [..] va_start(argptr, InBuf); Len = vsprintf(Buffer, InBuf, argptr); va_end(argptr); ?? Then I think you are wrong because it's the purpose of that function (see glibc documentation for example for va_* stuff). Ofcourse if the function Cio_PrintF is called with user input in InBuf we have a problem. BTW I've never seen that function before and I don't see it used anywere but I might be wrong (I never look at the windows part of the UnrealIrcd source). Please use Unreal3.2 (beta6 currently) instead, Unreal3.1.2 has some serious bugs. Bram Matthys (1% UnrealIrcd coder) PS: Please report bugs to coders () lists unrealircd org
Current thread:
- Unreal ircd Format String Vuln Gabriel A. Maggiotti (Feb 25)
- Re: Unreal ircd Format String Vuln Syzop (Feb 26)