Bugtraq mailing list archives
Re: Format strings: bug #1: BSD-lpr
From: Jouko Pynn?nen <jouko () ENVIRO SOLUTIONS FI>
Date: Wed, 27 Sep 2000 13:23:48 +0300
On Tue, 26 Sep 2000, Chris Evans wrote:
Welcome to a short series of security bugs, all involving mistakes with "user supplied format strings". This class of bug is very popular on Bugtraq at the moment, so what an ideal time for a few examples. BSD-lpr ------- If we look into lpr/lpd/printjob.c, we can find the following two lines of code if ((s = checkremote())) syslog(LOG_WARNING, s); This is a classic format string mistake. It may not be exploitable, because the failure strings returned by checkremote() in lpr/common_source/common.c, do not contain much data that a user could control.
Correct me if I'm wrong, but in this case there is no user supplied format string involved at all. This is in fact a mistake with "administrator supplied format string". I looked at this few months ago and came to the conclusion that to exploit this, the user should be able to modify /etc/printcap where the hostnames come from (ie. have root access), or make gethostname() return a format string, which is impossible as well unless you already have root access. This "bug" is certainly an example of some bad coding conventions, but it is not exploitable under any imagineable circumstances. There have already been, and there will be more than enough of alerts and advisories without false alarms like this, right? -- Jouko Pynnönen Online Solutions Ltd Secure your Linux - jouko () solutions fi http://www.secmod.com
Current thread:
- Format strings: bug #1: BSD-lpr Chris Evans (Sep 25)
- Re: Format strings: bug #1: BSD-lpr Kris Kennaway (Sep 27)
- Re: Format strings: bug #1: BSD-lpr Sean Winn (Sep 27)
- Re: Format strings: bug #1: BSD-lpr Sean Winn (Sep 27)
- Re: Format strings: bug #1: BSD-lpr Jouko Pynn?nen (Sep 27)
- Re: Format strings: bug #1: BSD-lpr Valdis Kletnieks (Sep 27)