lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <20030708224246.28609.qmail@www.securityfocus.com>
Date: 8 Jul 2003 22:42:46 -0000
From: Vade 79 <v9@...ehalo.deadpig.org>
To: bugtraq@...urityfocus.com
Subject: Re: zkfingerd-2.0.2(the last version)Format String Vulnerabilities


In-Reply-To: <20030708063317.8474.qmail@....securityfocus.com>

went through the zkfingerd-2.0.2 source after reading this.  curious on 
exploitation :)... anyways, i am not seeing anywheres in the source where 
the "msg" buffer can allow for direct user input(formats).  only static 
data/proper formats(including ones that look bad, but still are just 
static data in a buffer).  in all the die(), warn(), and putlog() 
functions, which use the _fingerd_error() function.

maybe i am just not seeing it?  but, i looked a couple times.  inform me 
if i am misinformed about it. :/


Vade79 -> fakehalo.deadpig.org -> fakehalo.


>Received: (qmail 26972 invoked from network); 8 Jul 2003 19:44:25 -0000
>Received: from outgoing2.securityfocus.com (205.206.231.26)
>  by mail.securityfocus.com with SMTP; 8 Jul 2003 19:44:25 -0000
>Received: from lists.securityfocus.com (lists.securityfocus.com 
[205.206.231.19])
>	by outgoing2.securityfocus.com (Postfix) with QMQP
>	id 3C3C88F6CB; Tue,  8 Jul 2003 13:43:46 -0600 (MDT)
>Mailing-List: contact bugtraq-help@...urityfocus.com; run by ezmlm
>Precedence: bulk
>List-Id: <bugtraq.list-id.securityfocus.com>
>List-Post: <mailto:bugtraq@...urityfocus.com>
>List-Help: <mailto:bugtraq-help@...urityfocus.com>
>List-Unsubscribe: <mailto:bugtraq-unsubscribe@...urityfocus.com>
>List-Subscribe: <mailto:bugtraq-subscribe@...urityfocus.com>
>Delivered-To: mailing list bugtraq@...urityfocus.com
>Delivered-To: moderator for bugtraq@...urityfocus.com
>Received: (qmail 3468 invoked from network); 8 Jul 2003 06:34:56 -0000
>Date: 8 Jul 2003 06:33:17 -0000
>Message-ID: <20030708063317.8474.qmail@....securityfocus.com>
>Content-Type: text/plain
>Content-Disposition: inline
>Content-Transfer-Encoding: binary
>MIME-Version: 1.0
>X-Mailer: MIME-tools 5.411 (Entity 5.404)
>From: yan feng <jsk@...nt0m.net>
>To: bugtraq@...urityfocus.com
>Subject: zkfingerd-2.0.2(the last version)Format String Vulnerabilities
>
>
>
>                                ========================================
>	                        Ph4nt0m Security Advisory 2#2003--7-7
>	                        ========================================
> Title: zkfingerd-2.0.2(the last version)Format String Vulnerabilities  
>
> Advisory Number         : SRT2003-7-7-002
> Product                 : zkfingerd
> Version                 : 2.0.2 (possibility All versions )
> Vendor                  : http://sourceforge.net/projects/zkfingerd
> Class                   : Local&remote
> Criticality             : high
> Operating System(s)     : *nix
>
>
> 
>**************************************************************************
*
>**
> high Level Description  : Format String Vulnerabilities in syslog() 
>fprintf()
>
> 
>**************************************************************************
*
>**
>
> Technical Details
> ************************************************************************
> zkfingerd-r3-0.9 could be remote exploitable,the last versions 2.0.2 
also 
>has a bug for Format    String Vulnerabilities 
> code find in src/die.c(_finger_error):107
> .........................................
>_finger_error(int options, char *function, char *file,
>	int line, char *msg, ...)
>{
>	va_list	ap;
>
>	va_start(ap, msg);
>
>	chomp(msg);
>
>#ifdef	DEBUG
>	if(options & DEBUG_ERROR)
>		fprintf(stdout, "DBG %s:%s:%d: ", function, file, line);
>	else
>#endif
>	if(!(options & QUIET_ERROR))
>		fprintf(stdout, "< ");
>
>	if(strchr(msg, '%') != NULL && !ap)
>	{
>		if(!(options & QUIET_ERROR))
>			fprintf(stdout, msg);  .....................point
>(msg could be provided by us)
>#ifndef	NO_SYSLOG
>		syslog(LOG_CRIT, 
>msg); .............................possibile
>#endif
>	}
>	else
>	{
>		if(!(options & QUIET_ERROR))
>			vfprintf(stdout, msg, ap);
>
>#ifndef	NO_SYSLOG
>		vsyslog(LOG_CRIT, msg, ap);
>#endif
>	}
>
>	if(!(options & QUIET_ERROR))
>	{
>#ifdef	DEBUG
>		fprintf(stdout, "%s\r\n",
>			(!(options & DEBUG_ERROR)) ? " >" : "");
>#else
>		fprintf(stdout, " >\r\n");
>#endif
>	}
>
>	va_end(ap);
>
>	fflush(stdout);
>
>	if(options & FATAL_ERROR)
>		exit(1);
>
>	return;
>}
>
> 
>so  It is possible to corrupt memory by passing format strings through 
the 
>vulnerable function. This may potentially be exploited to overwrite 
>arbitrary locations in memory with attacker-specified values. 
>
>
>I am studying codes ,i will prodive how to attack &exploit......
>
>
>
>..........................................................................
.
>......................
>
>**************************************************************************
*
>**********************
>By "jsk" (akun), in ph4nt0m.net(c) Security.
>
>E-mail:jsk@...nt0m.net 
>
>ph4nt0m Security Home: http://www.ph4nt0m.net 
>My World: http://jsk.njsafe.com
>My GnuPG Public Key:http://202.119.104.82/webeq/app/jsk/jsk.asc
>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ