Re: a few bugs ...

[lcamtuf () DIONE IDS PL (Michal Zalewski)]

On Fri, 17 Mar 2000, Michal Zalewski wrote:

> <...> assuming there's no interesting data in daemon address space (I
> don't think so - it is not performing any authorization, etc, only
> reads utmp entries), I don't think it might lead to anything except
> crash. And, as it's started from inetd, I don't think it might have
> any security implications ;)

...after getting priv response from z33d...

Ok, z33d, sorry, I should think twice before sending flames :) Of course,
there's one way to cause some mess - with %n format string. Unfortunately,
ntalk request packet is relatively small and fixed-size, so we have just a
little stack space to play with - we might skip just a few dwords with eg
'%d', but we're limited with max size of caller's login, which must fit in
this packet. In range of 6 dwords on stack (NAME_SIZE=12), I can't see any
address or variable, which can be altered with relatively small dword
(with 3 higher bytes unset, as request message isn't long) and result in
anything else than crash. Unfortunately, we can't even hit in the middle
of some address to and affect only less important byte(s).

So, first of all I'd like to say I'm sorry for my previous response, but,
in fact, I still believe this bug cannot be exploited in any way, and it
has no security implications.

_______________________________________________________
Michal Zalewski * [lcamtuf () ags pl] <=> [AGS WAN SYSADM]
[dione.ids.pl SYSADM] <-> [http://lcamtuf.na.export.pl]
[+48 22 551 45 93] [+48 603 110 160] bash$ :(){ :|:&};:
=-----=> God is real, unless declared integer. <=-----=