Re: m4 and format strings

[Matt Zimmerman <mdz () csh rit edu>]

On Wed, Jun 27, 2001 at 12:52:40AM -0700, Samy Kamkar [CommPort5] wrote:

> > [elguapo@linux elguapo]$ m4 %x,%x,%x,%x,%x,%x,%x
> > m4: 0,bffff818,4000d2ce,805df78,8048c56,4002e0bc,4014af2c: No such file
> > or directory
> >
> > can anyone think of a situation where this could cause root
> > to be exploitated... m4 is not suid to my understanding.
>
> Since it's not suid by default, you can't gain root from it directly. 
> If another program (that is suid) is using it, then you might be able to
> depending on how it's used...also, that's assuming that format string
> bug is actually exploitable.  It's only opening that file so I doubt you
> can do any exploitation with it...

If you can control the filename that is passed to m4 by a privileged program,
there are far easier ways to gain privileges than trying to exploit a format
string bug.  Instead, pass the name of a file that you created, with contents
like:

syscmd(touch /evil)

-- 
 - mdz