Full Disclosure mailing list archives
Kiss Server v1.2
From: "vashnukad vashnukad" <vashnukad1 () gmail com>
Date: Sun, 30 Mar 2008 14:24:19 -0500
From: vashnukad () vashnukad com Site: http://www.vashnukad.com Application: Linux Kiss Server v1.2 Type: Format strings Priority: Medium Patch available: No The Linux Kiss Server contains a format strings vulnerability that, if run in foreground mode, can be leveraged for access. The vulnerability is demonstrated in the code below: Function log_message(): if(background_mode == 0) { if(type == 'l') fprintf(stdout,log_msg); if(type == 'e') fprintf(stderr,log_msg); free(log_msg); } Function kiss_parse_cmd(): /* check full command name */ if (strncmp(cmd, buf, cmd_len)) { asprintf(&log_msg,"unknow command: `%s'", buf); log_message(log_msg,'e'); goto error; } buf += cmd_len; So putting something like %n%n%n in 'buf' you can trigger the vulnerability. -- Name: Vashnukad e-mail: vashnukad () vashnukad com Site: http://www.vashnukad.com _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Kiss Server v1.2 vashnukad vashnukad (Mar 30)