OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: Format strings: bug #1: BSD-lpr
From: Jouko Pynnönen (joukoENVIRO.SOLUTIONS.FI)
Date: Wed Sep 27 2000 - 05:23:48 CDT

On Tue, 26 Sep 2000, Chris Evans wrote:

> Welcome to a short series of security bugs, all involving mistakes with
> "user supplied format strings". This class of bug is very popular on
> Bugtraq at the moment, so what an ideal time for a few examples.
>
> BSD-lpr
> -------
>
> If we look into
>
> lpr/lpd/printjob.c, we can find the following two lines of code
>
> if ((s = checkremote()))
> syslog(LOG_WARNING, s);
>
> This is a classic format string mistake.
>
> It may not be exploitable, because the failure strings returned by
> checkremote() in lpr/common_source/common.c, do not contain much data that
> a user could control.

Correct me if I'm wrong, but in this case there is no user supplied
format string involved at all. This is in fact a mistake with
"administrator supplied format string". I looked at this few months ago
and came to the conclusion that to exploit this, the user should be able
to modify /etc/printcap where the hostnames come from (ie. have root
access), or make gethostname() return a format string, which is impossible
as well unless you already have root access.

This "bug" is certainly an example of some bad coding conventions, but it
is not exploitable under any imagineable circumstances. There have already
been, and there will be more than enough of alerts and advisories without
false alarms like this, right? 

--
Jouko Pynnönen           Online Solutions Ltd       Secure your Linux -
joukosolutions.fi                                  http://www.secmod.com