lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20040818144713.GC4403@sentinelchicken.org>
From: tim-security at sentinelchicken.org (Tim)
Subject: gnu-less Format String Vulnerability

> +-----[ Description ]-----+
> 
> Format string vulnerability.
> 
> 
> +-----[ Vulnerable Code ]-----+
> From less-382:
> 
> [filename.c] : 787
> 
>     public char *
> open_altfile(filename, pf, pfd)
>     char *filename;
>     int *pf;
>     void **pfd;
> {
>     ...................
>     if ((lessopen = lgetenv("LESSOPEN")) == NULL
>     ...................
>     sprintf(cmd, lessopen, filename); <-- Format String Problem Here
>     ...................
> 
> }


I am sorry, I fail to see how this is a vulnerability.

If you have control of LESSOPEN, you already have shell, since, from the
man page:

"An input preprocessor is simply an executable program (or shell
script), which writes the  contents of the file to a different file,
called the replacement file.
...
To  set  up  an input  preprocessor, set the LESSOPEN environment
variable to a command line which will invoke your  input  preprocessor."


Perhaps it would be better written if the LESSOPEN parser only allowed
%s to work, as advertized, and not the other sprintf codes, but it
really isn't a security issue (unless I am totally missing something).
If you are really worried about it, add the -L option when running less,
and it will ignore LESSOPEN.

cheers,
tim


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ