From: yan feng (jskph4nt0m.net)
Date: Tue Jul 08 2003 - 01:33:17 CDT

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

                                ========================================
                                Ph4nt0m Security Advisory 2#2003--7-7
                                ========================================
 Title: zkfingerd-2.0.2(the last version)Format String Vulnerabilities

 Advisory Number : SRT2003-7-7-002
 Product : zkfingerd
 Version : 2.0.2 (possibility All versions )
 Vendor : http://sourceforge.net/projects/zkfingerd
 Class : Local&remote
 Criticality : high
 Operating System(s) : *nix

 
***************************************************************************
**
 high Level Description : Format String Vulnerabilities in syslog()
fprintf()

 
***************************************************************************
**

 Technical Details
 ************************************************************************
 zkfingerd-r3-0.9 could be remote exploitable,the last versions 2.0.2 also
has a bug for Format String Vulnerabilities
 code find in src/die.c(_finger_error):107
 .........................................
_finger_error(int options, char *function, char *file,
        int line, char *msg, ...)
{
        va_list ap;

        va_start(ap, msg);

        chomp(msg);

#ifdef DEBUG
        if(options & DEBUG_ERROR)
                fprintf(stdout, "DBG %s:%s:%d: ", function, file, line);
        else
#endif
        if(!(options & QUIET_ERROR))
                fprintf(stdout, "< ");

        if(strchr(msg, '%') != NULL && !ap)
        {
                if(!(options & QUIET_ERROR))
                        fprintf(stdout, msg); .....................point
(msg could be provided by us)
#ifndef NO_SYSLOG
                syslog(LOG_CRIT,
msg); .............................possibile
#endif
        }
        else
        {
                if(!(options & QUIET_ERROR))
                        vfprintf(stdout, msg, ap);

#ifndef NO_SYSLOG
                vsyslog(LOG_CRIT, msg, ap);
#endif
        }

        if(!(options & QUIET_ERROR))
        {
#ifdef DEBUG
                fprintf(stdout, "%s\r\n",
                        (!(options & DEBUG_ERROR)) ? " >" : "");
#else
                fprintf(stdout, " >\r\n");
#endif
        }

        va_end(ap);

        fflush(stdout);

        if(options & FATAL_ERROR)
                exit(1);

        return;
}

 
so It is possible to corrupt memory by passing format strings through the
vulnerable function. This may potentially be exploited to overwrite
arbitrary locations in memory with attacker-specified values.

I am studying codes ,i will prodive how to attack &exploit......

...........................................................................
......................

***************************************************************************
**********************
By "jsk" (akun), in ph4nt0m.net(c) Security.

E-mail:jskph4nt0m.net

ph4nt0m Security Home: http://www.ph4nt0m.net
My World: http://jsk.njsafe.com
My GnuPG Public Key:http://202.119.104.82/webeq/app/jsk/jsk.asc

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]