chrisFERRET.LMH.OX.AC.UK

• Next message: Paul Rogers: "Re: IE 5 and Access 2000 vulnerability - executing programs"
• Previous message: Scott: "Re: Glftpd privpath bugs... +fix"
• Maybe in reply to: Lamagra Argamal: "format bugs, in addition to the wuftpd bug"
• Maybe reply: Chris Evans: "Re: format bugs, in addition to the wuftpd bug"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

H D Moore wrote:

> I spent some time last weekend going over a handful of
> daemons/priviledged programs that I suspected had issues with formatting
> characters in user-supplied data. I will not release the names of
> affected programs yet as I am waiting for thier maintainers to get back
> to me, but I would like to cover a seemingly-unknown security issue with
> passing user-defined fields to the syslog function:

Bugtraq is a full disclosure mailing list; why not mention the daemons.
All your message will achieve is that all the Black Hats have reached for
"grep".

Based on your assertion that such flaws exist, I consider the following
"obvious" to find, so I have no problems with posting it here

From sources on my RedHat Linux 6.1 machine:

gdm:

daemon/misc.c: lots of "syslog (LOG_ERR, s)"
gui/{gdmchooser,gdmlogin}.c: similar flaws

rpc.statd:

statd/log.c: syslog(level, buffer)

I look forward to your final report - I bet this issue is widespread. I
also bet we're still discovering these flaws in a few years time, just
like we are with buffer overflows now :-(

Cheers
Chris

• Next message: Paul Rogers: "Re: IE 5 and Access 2000 vulnerability - executing programs"
• Previous message: Scott: "Re: Glftpd privpath bugs... +fix"
• Maybe in reply to: Lamagra Argamal: "format bugs, in addition to the wuftpd bug"
• Maybe reply: Chris Evans: "Re: format bugs, in addition to the wuftpd bug"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]