Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Kiss Server v1.2

From: "vashnukad vashnukad" <vashnukad1 () gmail com>
Date: Sun, 30 Mar 2008 14:24:19 -0500
From: vashnukad () vashnukad com
Site: http://www.vashnukad.com
Application: Linux Kiss Server v1.2
Type: Format strings
Priority: Medium
Patch available: No

The Linux Kiss Server contains a format strings vulnerability that, if
run in foreground mode, can be leveraged for access. The vulnerability
is demonstrated in the code below:
            Function log_message():
                  if(background_mode == 0)
                  {
                    if(type == 'l')
                      fprintf(stdout,log_msg);

                    if(type == 'e')
                      fprintf(stderr,log_msg);
                    free(log_msg);
                  }


            Function kiss_parse_cmd():


                  /* check full command name */
                  if (strncmp(cmd, buf, cmd_len))
                      {
                         asprintf(&log_msg,"unknow command: `%s'", buf);
                         log_message(log_msg,'e');
                         goto error;
                      }
                  buf += cmd_len;

So putting something like %n%n%n in 'buf' you can trigger the vulnerability.

--
Name: Vashnukad
e-mail: vashnukad () vashnukad com
Site: http://www.vashnukad.com

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Previous By Date Next
Previous By Thread Next

Current thread: