Bugtraq mailing list archives
Re: Format strings: bugs #3 & #4: ISC-dhcpd, ucd-snmp
From: Paul Murphy <Paul.Murphy () GEMINI-GENOMICS COM>
Date: Sat, 30 Sep 2000 22:36:52 +0100
Chris Evans concluded from the output of GREP:
More format string bugs. Exploitability on these has not really been researched. Current feeling is "maybe exploitable under certain circumstances/configurations". ./common/errwarn.c: syslog (log_priority | LOG_ERR, mbuf); ./common/errwarn.c: syslog (LOG_CRIT, "exiting."); ./common/errwarn.c: syslog (log_priority | LOG_ERR, mbuf); ./common/errwarn.c: syslog (log_priority | LOG_INFO, mbuf); ./common/errwarn.c: syslog (log_priority | LOG_DEBUG, mbuf); ./common/errwarn.c: syslog (log_priority | LOG_ERR, mbuf); ./common/errwarn.c: syslog (log_priority | LOG_ERR, token_line);
Given that syslog() can be fooled by passing it user input which contains format characters, indescriminate use of syslog with untrusted buffers is a very bad idea. However, by investigating further, it becomes apparent that all of the buffers passed to syslog within the DHCP server are either static, or use variables which are under the full control of the program. The only details which come from an external source are taken from the configuration file, which is only accessible by root anyway. Unless Chris can show that one of these variables can be influenced in some way which causes a security problem, its a non-issue. Without proving that such a problem exists, its worse than identifying a real security problem, since it maligns software which is actually pretty well written, and may cause a loss of confidence in it. Finally, I'd be interested to know whether Chris contacted ISC or Ted Lemon before posting. Most people on the list seem to prefer the vendor having some chance of issuing a patch before the news of a potential security problem goes public. Best Wishes, Paul. ----------------------------------------------------------------------------- Paul Murphy - Head of I.T., Gemini Genomics 162 Science Park, Cambridge CB4 0GH Tel. 01223 435305 Fax. 01223 435301 http://www.gemini-genomics.com/ _______________________________________________________________________ DISCLAIMER: This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to which they are addressed. If you have received this email in error please contact the Gemini I.T helpdesk on : +44 (0) 1223 435333 _______________________________________________________________________
Current thread:
- Re: Format strings: bugs #3 & #4: ISC-dhcpd, ucd-snmp Paul Murphy (Sep 30)
- Re: Format strings: bugs #3 & #4: ISC-dhcpd, ucd-snmp Chris Evans (Oct 01)