Bugtraq mailing list archives
Format strings: bugs #3 & #4: ISC-dhcpd, ucd-snmp
From: Chris Evans <chris () SCARY BEASTS ORG>
Date: Tue, 26 Sep 2000 00:58:12 +0100
Hi, SUMMARY ------- More format string bugs. Exploitability on these has not really been researched. Current feeling is "maybe exploitable under certain circumstances/configurations". An in-depth discussion is not required. Here are the locations of the code flaws: --- [root@localhost dhcp-2.0]# pwd /usr/src/redhat/BUILD/dhcp-2.0 [root@localhost dhcp-2.0]# find . -name \*.c | xargs grep syslog |less ./client/dhclient.c: /* Initially, log errors to stderr as well as to syslogd. */ ./common/errwarn.c: syslog (log_priority | LOG_ERR, mbuf); ./common/errwarn.c: syslog (LOG_CRIT, "exiting."); ./common/errwarn.c: syslog (log_priority | LOG_ERR, mbuf); ./common/errwarn.c: syslog (log_priority | LOG_INFO, mbuf); ./common/errwarn.c: syslog (log_priority | LOG_DEBUG, mbuf); ./common/errwarn.c: syslog (log_priority | LOG_ERR, mbuf); ./common/errwarn.c: syslog (log_priority | LOG_ERR, token_line); ./common/errwarn.c: syslog (log_priority | LOG_ERR, ./relay/dhcrelay.c: /* Initially, log errors to stderr as well as to syslogd. */ ./server/dhcpd.c: /* Initially, log errors to stderr as well as to syslogd. */ [root@localhost dhcp-2.0]# --- ucd-snmp-4.1.2/snmplib/snmp_logging.c snmp_log_string() ~line 183 ... if (do_syslogging) { syslog(priority, string); } ... --- Cheers Chris
Current thread:
- Format strings: bugs #3 & #4: ISC-dhcpd, ucd-snmp Chris Evans (Sep 26)