lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <20030708063317.8474.qmail@www.securityfocus.com>
Date: 8 Jul 2003 06:33:17 -0000
From: yan feng <jsk@...nt0m.net>
To: bugtraq@...urityfocus.com
Subject: zkfingerd-2.0.2(the last version)Format String Vulnerabilities




                                ========================================
	                        Ph4nt0m Security Advisory 2#2003--7-7
	                        ========================================
 Title: zkfingerd-2.0.2(the last version)Format String Vulnerabilities  

 Advisory Number         : SRT2003-7-7-002
 Product                 : zkfingerd
 Version                 : 2.0.2 (possibility All versions )
 Vendor                  : http://sourceforge.net/projects/zkfingerd
 Class                   : Local&remote
 Criticality             : high
 Operating System(s)     : *nix


 
***************************************************************************
**
 high Level Description  : Format String Vulnerabilities in syslog() 
fprintf()

 
***************************************************************************
**

 Technical Details
 ************************************************************************
 zkfingerd-r3-0.9 could be remote exploitable,the last versions 2.0.2 also 
has a bug for Format    String Vulnerabilities 
 code find in src/die.c(_finger_error):107
 .........................................
_finger_error(int options, char *function, char *file,
	int line, char *msg, ...)
{
	va_list	ap;

	va_start(ap, msg);

	chomp(msg);

#ifdef	DEBUG
	if(options & DEBUG_ERROR)
		fprintf(stdout, "DBG %s:%s:%d: ", function, file, line);
	else
#endif
	if(!(options & QUIET_ERROR))
		fprintf(stdout, "< ");

	if(strchr(msg, '%') != NULL && !ap)
	{
		if(!(options & QUIET_ERROR))
			fprintf(stdout, msg);  .....................point
(msg could be provided by us)
#ifndef	NO_SYSLOG
		syslog(LOG_CRIT, 
msg); .............................possibile
#endif
	}
	else
	{
		if(!(options & QUIET_ERROR))
			vfprintf(stdout, msg, ap);

#ifndef	NO_SYSLOG
		vsyslog(LOG_CRIT, msg, ap);
#endif
	}

	if(!(options & QUIET_ERROR))
	{
#ifdef	DEBUG
		fprintf(stdout, "%s\r\n",
			(!(options & DEBUG_ERROR)) ? " >" : "");
#else
		fprintf(stdout, " >\r\n");
#endif
	}

	va_end(ap);

	fflush(stdout);

	if(options & FATAL_ERROR)
		exit(1);

	return;
}

 
so  It is possible to corrupt memory by passing format strings through the 
vulnerable function. This may potentially be exploited to overwrite 
arbitrary locations in memory with attacker-specified values. 


I am studying codes ,i will prodive how to attack &exploit......



...........................................................................
......................

***************************************************************************
**********************
By "jsk" (akun), in ph4nt0m.net(c) Security.

E-mail:jsk@...nt0m.net 

ph4nt0m Security Home: http://www.ph4nt0m.net 
My World: http://jsk.njsafe.com
My GnuPG Public Key:http://202.119.104.82/webeq/app/jsk/jsk.asc

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ