| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <c461be1b0803041943j7fbcff06yc2d99b767210c44e@mail.gmail.com>
Date: Tue, 4 Mar 2008 22:43:25 -0500
From: vashnukad <vashnukad@...hnukad.com>
To: full-disclosure@...ts.grok.org.uk
Subject: Vulnerability in Linux Kiss Server v1.2
From: vashnukad@...hnukad.com
Site: http://www.vashnukad.com
Application: Linux Kiss Server v1.2
Type: Format strings
Priority: Medium
Patch available: No
The Linux Kiss Server contains a format strings vulnerability that, if run
in foreground mode, can be leveraged for access. The vulnerability is
demonstrated in the code below:
Function log_message():
if(background_mode == 0)
{
if(type == 'l')
fprintf(stdout,log_msg);
if(type == 'e')
fprintf(stderr,log_msg);
free(log_msg);
}
Function kiss_parse_cmd():
/* check full command name */
if (strncmp(cmd, buf, cmd_len))
{
asprintf(&log_msg,"unknow command: `%s'", buf);
log_message(log_msg,'e');
goto error;
}
buf += cmd_len;
So putting something like %n%n%n in 'buf' you can trigger the vulnerability.
--
Name: Vashnukad
E-mail: vashnukad@...hnukad.com
Site: http://www.vashnukad.com
Content of type "text/html" skipped
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists