Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

another format string bug

From: Wojtek Pawlikowski <vvega () LIDERLINK NET>
Date: Fri, 23 Mar 2001 16:38:19 +0100
There is a format string bug in 'pwc' (ftp://ftp.media-com.com.pl/pub/other/pwc.tar.gz).
This CGI script is used to change users password via www (blah!).
writelog() call syslog() function, which 'eats' ;)  characters and log it
to system logs. But you can paste shellcode into buffers[512] and syslog()
will run it without any problems.

void writelog(const char *fmt, ...)
{
        va_list args;
        char buffers[512];

        va_start(args, fmt);

        openlog(SERVICENAME, LOG_PID | LOG_CONS | LOG_NOWAIT | LOG_AUTH);
        vsnprintf(buffer, 512, fmt, args);
        syslog(LOG_ERR, buffer); <- bug :)
        closelog();
        return;
        va_end(args);
}

As you can see this is potential security bug.

Patch:

        change
                syslog(LOG_ERR, buffer);
        to
                syslog(LOG_ERR, "%s", buffer);

greetz: #sigsegv, #phreakpl, #argante

-------------------------------------------------------------------
Wojtek Pawlikowski <wojtek () liderlink net> Linux / BSD Administrator
Cell 0608521666 || Registered Linux User 198985 || Have a nice trip
Previous By Date Next
Previous By Thread Next

Current thread: