Bugtraq mailing list archives

Re: Vulnerability in the Xt library

From: mcn () remise ORG (Mike Neuman)
Date: Wed, 28 Aug 1996 17:21:37 -0600

This pretty much depends on how doprnt works (also, the vs 3 compiler from
Sun has different stack allocations, depending on the optimization).


  You're right. My data point was from a Solaris 1.x system, which appears
to be invulnerable to this specific attack for the sprintf() format overflow
reason.  (Hmmm, reason not to upgrade? :-) )

  Actually, it seems the BSD _doprnt (including the 4.4BSD equivalent
vfprintf() ) will continue until they encounter a '\0' (or segfault), which
probably means they are somewhat less vulnerable.

  Thanks for the clarification.

-Mike
mcn () EnGarde com

Current thread:

Re: BUG in /bin/bash, (continued)
- - Re: BUG in /bin/bash Digital Dreamer (Aug 22)
  - Re: BUG in /bin/bash Earle Ake (Aug 22)
  - IE 3.0? InterAccess Support Manager (Aug 22)
    - Re: IE 3.0? Dave Andersen (Aug 23)
    - More on the UnixWare problem Todd Vierling (Aug 23)
    - resolv+ and finger... C. Hodges (Aug 23)
    - Vulnerability in the Xt library Aleph One (Aug 24)
    - Re: Vulnerability in the Xt library Stefan `Sec` Zehl (Aug 25)
    - Re: Vulnerability in the Xt library Mike Neuman (Aug 27)
    - Re: Vulnerability in the Xt library Casper Dik (Aug 28)
    - Re: Vulnerability in the Xt library Mike Neuman (Aug 28)
    - RFD: libsuid VaX#n8 (Aug 24)
    - More on UnixWare 2.x vulnerability Todd Vierling (Aug 24)
    - Re: (WORKAROUND) More on UnixWare 2.x vulnerability Hannu Laurila (Aug 24)
    - polyglots (multi-language programs) John Nemeth (Aug 24)
  - Re: BUG in /bin/bash Arthur Hyun (Aug 22)
  - Re: BUG in /bin/bash Brian Clapper (Aug 23)