OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Sebastian (scutNB.IN-BERLIN.DE)
Date: Mon Apr 02 2001 - 03:56:11 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    Hi :-)

    On Sun, Apr 01, 2001 at 08:06:46PM -0400, fish stiqz wrote:

    > I only used one argument to exploit that, if you look closely you'll
    > notice it works just like a classical buffer overflow, overwriting the
    > return address of the "file" function. Now, if I read this correctly

    This case is not so rare, often you can find a combination of a bound-
    checking and a non-boundchecking format function call:

    void
    foofunc (char *user)
    {
            char buf2[200];
            char buf1[100];

            sprintf (buf1, "Error: %.50s", user);
            sprintf (buf2, buf1);
    }

    This is the case for the QPOP 2.53 EUIDL and bftpd vulnerability, for which
    exploits exist that use your kind of "stretching" format parameter.

    > your solution would not defend against this. I think a better way to
    > solve format string problems is to actually make a parser for it, or
    > integrate into the gcc parser itself, (isn't this being done in gcc 3.0?).

    The most practical workaround is to remove the %n format parameter. I know
    this will bring up some strong opinions about "we need %n for performance
    reasons", or "cutting functionality to fix security is bad". However, I have
    never used the %n parameter for anything except exploits, and have yet to
    come across a program that uses it. No program I ever audited used it. For
    the performance impact, some people claim they must use it to have some
    code like this:

            int len1;
            char buf[200];

            snprintf (buf, sizeof (buf), "%s%n%s", variablesized, &len1, foo);
            write (fd, buf, len1);
            sleep (2);
            write (fd, buf + len1, strlen (buf + len1));

    Or in general to process the string they generate further. In every case this
    can be done by using two buffers and using the return value of printf.

    For an in-depth discussion about how format string vulnerabilities can be
    exploited, you may want to take a look at my article, available from
    http://www.team-teso.net/releases.php.

    > - fish stiqz.

    ciao,
    scut 

    --
-. scutnb.in-berlin.de -. + http://segfault.net/~scut/ `--------------------.
-' segfault.net/~scut/pgp `' 5453 AC95 1E02 FDA7 50D2 A42D 427E 6DEF 745A 8E07
`- CSMC_TOP_SECRET_ATOMAL.tar.bz2, 69043590 bytes received in 381.4 seconds -'