OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Format strings: bug #1: BSD-lpr
From: Chris Evans (chrisSCARY.BEASTS.ORG)
Date: Mon Sep 25 2000 - 18:57:04 CDT

Hi,

INTRO
-----

Welcome to a short series of security bugs, all involving mistakes with
"user supplied format strings". This class of bug is very popular on
Bugtraq at the moment, so what an ideal time for a few examples.

BSD-lpr
-------

If we look into

lpr/lpd/printjob.c, we can find the following two lines of code

        if ((s = checkremote()))
                syslog(LOG_WARNING, s);

This is a classic format string mistake.

It may not be exploitable, because the failure strings returned by
checkremote() in lpr/common_source/common.c, do not contain much data that
a user could control.

However, it illustrates that format string bugs creep in everywhere, even
in code that gets syslog() calls correct the majority of the time, as is
the case with BSD-lpr.

Fix 

---

OpenBSD ship BSD-lpr. Not only have they already fixed this in their CVS,
but they also offer web indexed CVS. They caught it independently as part
of their "format strings" audit.

http://www.openbsd.org/cgi-bin/cvsweb/src/usr.sbin/lpr/lpd/printjob.c?r1=1.19&r2=1.20

Conclusion
----------

The next format string bug in the series will be much more interesting.

Cheers
Chris