FORW: Re: Format String Attacks

[Dan Harkless <dan-bugtraq () DILVISH SPEED NET>]

Here are some interesting observations on this subject by someone who wished
to remain nameless.


------- Forwarded Message

> > Hmm... I'm not sure if it can be fixed in libc, even if it's GNU libc.
>
> Erm, the Linux vendors seem to think so...

Linux vendors can guarantee something for the utilities they ship. Suppose
you are running Veritas Volume Manager on Solaris. Then you have
/etc/vx/slib/libc.so.1 which is a libc copy made when VxVM was installed.
I don't know what's the purpose, but it's there. Your libc patches
don't affect that copy. I don't know if some utility uses it, but in
case there is a setuid VxVM utility which uses it, you're vulnerable.

Even if Sun puts a fix in /usr/lib/libc.so.1.

Then there is the question of static linking and executables built
before libc patching. Some people seem to think that GNU gettext
is superior to Solaris gettext, or that Solaris gettext doesn't
work with free software. So they link GNU gettext staticaly. In those
cases libc gettext() & friends will never be called. I don't know
where NLSPATH cleaning code resides. But I doubt it can be put in
.init section, so there is a chance that something will be vulnerable.

Etc. etc. You already have a working system with god knows what installed.
It's hard to guarantee that the whole system is not going to be vulnerable
with a kludge in libc.so. Sun will fix Sun's utilities. Linux vendors have
fixed theirs (supposedly). Anything else is your problem. The only
OS which wasn't affected was OpenBSD, because it's OpenBSD. :-)

------- End of Forwarded Message


----------------------------------------------------------------------
Dan Harkless                   | To prevent SPAM contamination, please
dan-bugtraq () dilvish speed net  | do not mention this private email
SpeedGate Communications, Inc. | address in Usenet posts.  Thank you.