Vulnerability Development mailing list archives
Re: Red Hat 7.1 rpc.statd problem
From: Fyodor <fygrave () tigerteam net>
Date: Thu, 6 Dec 2001 03:49:08 +0700
On Wed, Dec 05, 2001 at 12:36:09PM -0800, Blue Boar wrote:
.. now they fixed it to be: syslog("lookup screwed for: %s\n", userdata); ...So if someone has written a bad syslog implementation, then the format string will get sent to the syslogd, and potentially exploit that?
it is not "bad syslog implementation". If it is a standard syslog function implementation (which is part of libc by the way) which supports '%n' and similar arguments, and if format string is affected by user supplied data, it could be exploitable. (not only syslog, which i used as example but a bunch of other functions too. There were some papers published on fmt bugs exploitation. Please refer to those for more details ;-))
Just seems to me that the statd code should use a smaller buffer, or strip out some characters, or something that wouldn't put such a scary entry into the log files. :)
I guess 63(?) characters is the hostname max length according to RFC. So it is probably statd messup/overlook not to chop it. (although I doubt it would make much harm in this case).. -- http://www.notlsd.net PGP fingerprint = 56DD 1511 DDDA 56D7 99C7 B288 5CE5 A713 0969 A4D1
Current thread:
- Red Hat 7.1 rpc.statd problem Blue Boar (Dec 05)
- Re: Red Hat 7.1 rpc.statd problem Chris Ess (Dec 05)
- Re: Red Hat 7.1 rpc.statd problem Przemyslaw Frasunek (Dec 05)
- Re: Red Hat 7.1 rpc.statd problem Fyodor (Dec 05)
- Message not available
- Message not available
- Re: Red Hat 7.1 rpc.statd problem Fyodor (Dec 05)
- Re: Red Hat 7.1 rpc.statd problem Blue Boar (Dec 05)
- Re: Red Hat 7.1 rpc.statd problem Fyodor (Dec 05)
- Re: Red Hat 7.1 rpc.statd problem Valdis . Kletnieks (Dec 06)
- Message not available
- Re: Red Hat 7.1 rpc.statd problem Chris Ess (Dec 05)