Full Disclosure mailing list archives
Re: Vulnerability in Linux Kiss Server v1.2
From: "David Judais" <david.judais () googlemail com>
Date: Wed, 5 Mar 2008 16:29:53 -0500
Why isn't there a patch?
From: vashnukad () vashnukad com
Site: http://www.vashnukad.com Application: Linux Kiss Server v1.2 Type: Format strings Priority: Medium Patch available: No The Linux Kiss Server contains a format strings vulnerability that, if run in foreground mode, can be leveraged for access. The vulnerability is demonstrated in the code below: Function log_message(): if(background_mode == 0) { if(type == 'l') fprintf(stdout,log_msg); if(type == 'e') fprintf(stderr,log_msg); free(log_msg); } Function kiss_parse_cmd(): /* check full command name */ if (strncmp(cmd, buf, cmd_len)) { asprintf(&log_msg,"unknow command: `%s'", buf); log_message(log_msg,'e'); goto error; } buf += cmd_len; So putting something like %n%n%n in 'buf' you can trigger the vulnerability. -- Name: Vashnukad E-mail: vashnukad () vashnukad com Site: http://www.vashnukad.com -- Name: Vashnukad e-mail: vashnukad () vashnukad com Site: http://www.vashnukad.com
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Vulnerability in Linux Kiss Server v1.2 vashnukad (Mar 04)
- <Possible follow-ups>
- Re: Vulnerability in Linux Kiss Server v1.2 David Judais (Mar 05)
- Re: Vulnerability in Linux Kiss Server v1.2 David Judais (Mar 07)
- Message not available
- Re: Vulnerability in Linux Kiss Server v1.2 vashnukad vashnukad (Mar 07)