OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: Format strings & i18n
From: James Antill (jamesand.org)
Date: Tue Oct 03 2000 - 11:56:28 CDT

Jarno Huuskonen <jhuuskonmessi.uku.fi> writes:

> Hi,
>
> Lot of programs blindly feed the result of catget to various printf
> type functions. While usually this has no security problems
> (no suid/sgid programs) it still allows users to define their own
> path for the messages (LANGUAGE=../../../tmp etc.) and these messages can
> have all the nice formatstrings.
>
> The security risk comes if some (l)user is allowed to run some program
> with root privs (for example with sudo) and all the environment is not
> cleaned (LANGUAGE etc.) --> luser can use his/her own messages.

 So the user has been compromised and then runs su, why couldn't the
attacker just read their tty.

> I think it would be a good idea to have somekind of support in (glibc?) to
> catch crazy i18n format strings. Perhaps it could count the formatters in
> the original message and if there're more in i18n version then use the
> original.
>
> So instead of fprintf(stderr, catget("You made a %s mistake"), progname);
> Programmers would use:
> fprintf(stderr, verify_catget("You made a %s mistake"), progname);

 How would verify_catget() work (Ie. how can it know what is correct
and what isn't).

 What you want is something akin to "FormatGuard", which doesn't exist
yet (maybe ask Crispin Cowan -- maybe he's already working on it). 

-- 
James Antill -- jamesand.org
"If we can't keep this sort of thing out of the kernel, we might as well
pack it up and go run Solaris." -- Larry McVoy.