Bugtraq mailing list archives
Re: a few bugs ...
From: drow () FALSE ORG (Daniel Jacobowitz)
Date: Mon, 20 Mar 2000 21:00:08 -0500
On Fri, Mar 17, 2000 at 10:07:45AM +0100, Michal Zalewski wrote:
3. ntalkd from redhat distri or debian... in old version ( <=5.2rh and <=2.0db) (I don't want to be wrong so I will not write it's version - aleph bounced;P sic! ) it's known and patched but there wasn't official post and it may be dangerous. There is fprintf() without format. Another hard to exploit bug :)Aham. According to ChangeLog: 26-Nov-1998: Fixed bug: the talkd announce message is passed as the format string to fprintf, so if it has %'s in it, we probably crash. Announce message (assembled in ntalkd/announce.c) contains remote username and remote hostname information, as well as some hardcoded texts like "Talk request from...". Take a note - we're talking about fprintf, so, assuming there's no interesting data in daemon address space (I don't think so - it is not performing any authorization, etc, only reads utmp entries), I don't think it might lead to anything except crash. And, as it's started from inetd, I don't think it might have any security implications ;) Btw. Aleph, some time ago I described proftpd crash problem with LIST parameter. Instead of playing with FUD, I've done some debugging and realized it won't be _probably_ exploitable. As the result, you bounced this post, but approved this one - for sure overFUDed ;>
Actually, it was exploitable, if you are referring to the username-passed-in-format-string bit. In my efforts for crack.linuxppc.org (which I have not gotten around to writing up yet, but will - there were a few interesting tidbits), I used that for two tricks: to gain root access within the chroot and to disable dropping of capabilities. Dan /--------------------------------\ /--------------------------------\ | Daniel Jacobowitz |__| SCS Class of 2002 | | Debian GNU/Linux Developer __ Carnegie Mellon University | | dan () debian org | | dmj+ () andrew cmu edu | \--------------------------------/ \--------------------------------/
Current thread:
- The Comet Cursor, (continued)
- The Comet Cursor Sarah MacArthur (Mar 09)
- Network File Resource Vulnerability Eric Hacker (Mar 09)
- Re: Network File Resource Vulnerability David LeBlanc (Mar 11)
- misc. cross site scripting issues Marc Slemko (Mar 12)
- a few bugs ... Maurycy Prodeus (Mar 13)
- Re: a few bugs ... Thomas Roessler (Mar 15)
- Re: a few bugs ... Michal Zalewski (Mar 17)
- Patch: ip_masq_ftp / Linux 2.2.x (extended FTP ALG vulnerabilty) Bjarni R. Einarsson (Mar 20)
- Microsoft Security Bulletin (MS00-018 Microsoft Product Security (Mar 20)
- Re: a few bugs ... Coke (Mar 20)
- Re: a few bugs ... Daniel Jacobowitz (Mar 20)
- Re: a few bugs ... Michal Zalewski (Mar 20)
- DoS with NAVIEG PAUL VanDyke (Mar 17)
- [ANNOUNCE] strace for NT tsabin () RAZOR BINDVIEW COM (Mar 13)
- Linux patch for blocking buffer overflow based attacks massimo () IAC RM CNR IT (Mar 10)
- ICQ remote DoS Philip Stoev (Mar 10)
- Re: Enumerate Root Web Server Directory Vulnerability for IIS 4.0 Chris Paget (Mar 17)
- SQL Server Vulnerability details Chip Andrews (Mar 18)