Re: [VulnWatch] Bypassing libsafe format string protection

[Steve Beattie <steve () wirex net>]

On Wed, Mar 20, 2002 at 11:35:04AM +0100, Wojciech Purczynski wrote:
> 1.
>
> Libsafe protection against format string exploits may be easily bypassed
> using flag characters that are implemented in glibc but are not
> implemented in libsafe. 
>
> 2.
>
> Libsafe *printf function wrappers incorrectly parse argument indexing in
> format strings. They always assume that the n-th conversion specification
> uses n-th argument and does not properly count real number of arguments
> used. Thus, arguments, whose index numbers are above the total number of
> conversion specifications, are not verified at all.

I'd like to point out that the Immunix FormatGuard tool (which provides
a similar protection against format string attacks as libsafe) is not
vulnerable to these kinds of attacks because it explicitly uses glibc's
parse_printf_format() to determine the number of arguments required for
a given format string -- parse_printf_format() is the same function that
glibc's *printf() functions use internally to parse arguments.

-- 
Steve Beattie                               Don't trust programmers? 
<steve () wirex net>                         Complete StackGuard distro at
http://NxNW.org/~steve/                            immunix.org
http://www.personaltelco.net -- overthrowing QWest, one block at a time.

Attachment: _bin
Description: