OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: INN: guilty of syslog() format string breakage?
From: Daniel Jacobowitz (drowfalse.org)
Date: Wed Jun 28 2000 - 18:12:09 CDT

Well, without looking at the remainder of the code, I can tell you that
it almost certainly is. If there is a single place where we have free
control over what is logged, it's no different than what I did
yesterday for statd. Do normal users have control over innfeed at all?

Is this from inn2? Inn1 seems quite careful.

On Wed, Jun 28, 2000 at 11:52:21PM +0100, Chris Evans wrote:
>
> Hmm,
>
> Some guru fancy considering if this is exploitable?
>
> Chris
>
>
> innfeed/misc.c:
>
> static void log (int level, const char *fmt, va_list args)
> {
> time_t now = time (NULL) ;
> char timeString [30] ;
> char *p = NULL ;
> int out ;
>
> strcpy (timeString,ctime (&now)) ;
> timeString [24] = '\0' ;
>
> fprintf (stderr, "%s %s: ",
> timeString, (program ? program : "UNKNOWN PROGRAM NAME")) ;
> out = vfprintf (stderr, fmt, args) ;
> fprintf (stderr,"\n") ;
>
> p = malloc (out + 10) ;
> vsprintf (p,fmt,args) ;
> syslog (level,p) ; <----------------------------------
> }
>
>
>
>

Dan

/--------------------------------\ /--------------------------------\
| Daniel Jacobowitz |__| SCS Class of 2002 |
| Debian GNU/Linux Developer __ Carnegie Mellon University |
| dandebian.org | | dmj+andrew.cmu.edu |
\--------------------------------/ \--------------------------------/