Full Disclosure mailing list archives
Re: gnu-less Format String Vulnerability
From: Tim <tim-security () sentinelchicken org>
Date: Wed, 18 Aug 2004 10:47:13 -0400
+-----[ Description ]-----+ Format string vulnerability. +-----[ Vulnerable Code ]-----+ From less-382: [filename.c] : 787 public char * open_altfile(filename, pf, pfd) char *filename; int *pf; void **pfd; { ................... if ((lessopen = lgetenv("LESSOPEN")) == NULL ................... sprintf(cmd, lessopen, filename); <-- Format String Problem Here ................... }
I am sorry, I fail to see how this is a vulnerability. If you have control of LESSOPEN, you already have shell, since, from the man page: "An input preprocessor is simply an executable program (or shell script), which writes the contents of the file to a different file, called the replacement file. ... To set up an input preprocessor, set the LESSOPEN environment variable to a command line which will invoke your input preprocessor." Perhaps it would be better written if the LESSOPEN parser only allowed %s to work, as advertized, and not the other sprintf codes, but it really isn't a security issue (unless I am totally missing something). If you are really worried about it, add the -L option when running less, and it will ignore LESSOPEN. cheers, tim _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- gnu-less Format String Vulnerability Serkan Akpolat (Aug 18)
- Re: gnu-less Format String Vulnerability Tim (Aug 18)
- Re: gnu-less Format String Vulnerability Serkan Akpolat (Aug 18)
- Re: gnu-less Format String Vulnerability Tim (Aug 18)