GOBBLES (www.bugtraq.org) has released an advisory concerning a format
string vuln in the logging of the runas app available from
http://metagame.org/runas/ (nothing to do with Windows runas). Since only
10% of the advisory deals with the problem, I'm going to include the
appropriate excerpt below; however, those with the bandwidth can
read the full thing online at GOBBLES site:

http://www.bugtraq.org/dev/GOBBLES-10.txt

- rfp

TECHNICAL DETAILS
*****************

bash-2.05$ ./runas -GOBBLES "%s%s%s"
./runas: on /dev/ttyp2 in /usr/home/GOBBLES/runas-3.11.1/runas-3.11.1: NO
PRIVILEDGE for GOBBLES for command: [-GOBBLES] [%s%s%s]
Segmentation fault (core dumped)

Bugtraq, here we come!

main()->checkAccess()->syslogCommandNOPRIV()->errorMsg()->syslogMsg()

469 while (msglen > nonterminated_syslog_buflen) {
470 (void) strncpy(syslog_buf, msg, nonterminated_syslog_buflen);
471 syslog_buf[syslog_bufsize] = (char) NULL;
472 delimiter = strrchr(syslog_buf, SPACE); /* split on space
boundary */
473
474 if (delimiter == NULL) { /* No space found */
475 msg_position = nonterminated_syslog_buflen;
476 syslog_buf[msg_position + 1] = (char) NULL;
477 } else {
478 msg_position = nonterminated_syslog_buflen - strlen(delimiter);
479 syslog_buf[msg_position] = (char) NULL;
480 }
481 (void) syslog(priority, syslog_buf);
482 msglen -= msg_position;
483 msg += msg_position + 1;
484 }
485 if (msg != NULL) {
486 (void) syslog(priority, msg);
487 }
488 } /* syslogMsg */

Hehe, can you spot off-by-one heap-based overflow?!?! Similar function as
sudo vuln function hehehe. Identical class of product too hehehe. Maybe
Illuminati behind this conspiracy lololololololololololololololololol.

But easy to see fmtstringerizer hole there with syslog().

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]