|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Subject: Re: Format strings: bug #1: BSD-lpr
From: Sean Winn (sean
GOTHIC.NET.AU)Date: Tue Sep 26 2000 - 00:51:02 CDT
- Next message: Gunther Birznieks: "Re: Advisory: E*TRADE security problems in full"
- Previous message: Lincoln Yeoh: "Re: More info for E*TRADE users"
- In reply to: Chris Evans: "Format strings: bug #1: BSD-lpr"
- Next in thread: Sean Winn: "Re: Format strings: bug #1: BSD-lpr"
- Reply: Sean Winn: "Re: Format strings: bug #1: BSD-lpr"
- Reply: Sean Winn: "Re: Format strings: bug #1: BSD-lpr"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
NetBSD:
if ((s = checkremote()) != NULL)
syslog(LOG_WARNING, s);
FreeBSD:
if ((s = checkremote(pp)) != 0) {
syslog(LOG_WARNING, "%s", s);
free(s);
}
}
Looking back, it appears to be fixed in this commit
(http://www.freebsd.org/cgi/cvsweb.cgi/src/usr.sbin/lpr/lpd/printjob.c.diff?
r1=1.17&r2=1.18)
Revision 1.18 / (download) - annotate - [select for diffs] , Tue Dec 2
20:45:58 1997 UTC (2 years, 9 months ago) by wollman
Branch: MAIN
Changes since 1.17: +321 -345 lines
Diff to previous 1.17
Mega lpd/lpd upgrade, part I:
- Get rid of a lot of the static variables which were shared by
many routines and programs in the suite.
- Create an abstract interface to the printcap database, so that
other retrieval and iteration mechanisms could be developed
(e.g., YP, Hesiod, or automatic retrieval from a trusted server).
- Give each capability a human-readable name in addition to the historic
two-character one.
- Otherwise generally clean up a lot of dark corners. Many still remain.
- When submitting jobs, use the official login name record (from getlogin())
if there is one, rather than reverse-mapping the uid.
More to come...
----- Original Message -----
From: "Chris Evans" <chrisSCARY.BEASTS.ORG>
To: <BUGTRAQSECURITYFOCUS.COM>
Sent: Tuesday, September 26, 2000 10:57 AM
Subject: Format strings: bug #1: BSD-lpr
> Hi,
>
> INTRO
> -----
>
> Welcome to a short series of security bugs, all involving mistakes with
> "user supplied format strings". This class of bug is very popular on
> Bugtraq at the moment, so what an ideal time for a few examples.
>
> BSD-lpr
> -------
>
> If we look into
>
> lpr/lpd/printjob.c, we can find the following two lines of code
>
> if ((s = checkremote()))
> syslog(LOG_WARNING, s);
>
> This is a classic format string mistake.
>
> It may not be exploitable, because the failure strings returned by
> checkremote() in lpr/common_source/common.c, do not contain much data that
> a user could control.
>
> However, it illustrates that format string bugs creep in everywhere, even
> in code that gets syslog() calls correct the majority of the time, as is
> the case with BSD-lpr.
>
> Fix
> ---
>
> OpenBSD ship BSD-lpr. Not only have they already fixed this in their CVS,
> but they also offer web indexed CVS. They caught it independently as part
> of their "format strings" audit.
>
>
http://www.openbsd.org/cgi-bin/cvsweb/src/usr.sbin/lpr/lpd/printjob.c?r1=1.1
9&r2=1.20
>
> Conclusion
> ----------
>
> The next format string bug in the series will be much more interesting.
>
> Cheers
> Chris
>
- Next message: Gunther Birznieks: "Re: Advisory: E*TRADE security problems in full"
- Previous message: Lincoln Yeoh: "Re: More info for E*TRADE users"
- In reply to: Chris Evans: "Format strings: bug #1: BSD-lpr"
- Next in thread: Sean Winn: "Re: Format strings: bug #1: BSD-lpr"
- Reply: Sean Winn: "Re: Format strings: bug #1: BSD-lpr"
- Reply: Sean Winn: "Re: Format strings: bug #1: BSD-lpr"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]