On Wed, Mar 20, 2002 at 11:35:04AM +0100, Wojciech Purczynski wrote:
> 1.
>
> Libsafe protection against format string exploits may be easily bypassed
> using flag characters that are implemented in glibc but are not
> implemented in libsafe.
>
> 2.
>
> Libsafe *printf function wrappers incorrectly parse argument indexing in
> format strings. They always assume that the n-th conversion specification
> uses n-th argument and does not properly count real number of arguments
> used. Thus, arguments, whose index numbers are above the total number of
> conversion specifications, are not verified at all.

I'd like to point out that the Immunix FormatGuard tool (which provides
a similar protection against format string attacks as libsafe) is not
vulnerable to these kinds of attacks because it explicitly uses glibc's
parse_printf_format() to determine the number of arguments required for
a given format string -- parse_printf_format() is the same function that
glibc's *printf() functions use internally to parse arguments.

-- 
Steve Beattie                               Don't trust programmers? 
<stevewirex.net>                         Complete StackGuard distro at
http://NxNW.org/~steve/                            immunix.org
http://www.personaltelco.net -- overthrowing QWest, one block at a time.

-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org

iD8DBQE8mNPRquBH+DuYavMRAnndAJ9wf1KzA05oFNd7a+1rFpg0i/Xo1QCgjIZY iMvYrUhZ3Q6cx6+XyYJc6mo= =xcSc -----END PGP SIGNATURE-----

_______________________________________________ Immunix-announce mailing list Immunix-announcewirex.com http://mail.wirex.com/mailman/listinfo/immunix-announce _______________________________________________ Immunix-users mailing list Immunix-usersmail.wirex.com http://mail.wirex.com/mailman/listinfo/immunix-users

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]