From:	 Steve Beattie <steve@wirex.net>
To:	 bugtraq@securityfocus.com, vulnwatch@vulnwatch.org
Subject: Re: [VulnWatch] Bypassing libsafe format string protection
Date:	 Wed, 20 Mar 2002 10:24:18 -0800
Cc:	 Wojciech Purczynski <cliph@isec.pl>, security@isec.pl,
	 immunix-announce@wirex.com

On Wed, Mar 20, 2002 at 11:35:04AM +0100, Wojciech Purczynski wrote:
> 1.
> 
> Libsafe protection against format string exploits may be easily bypassed
> using flag characters that are implemented in glibc but are not
> implemented in libsafe. 
> 
> 2.
> 
> Libsafe *printf function wrappers incorrectly parse argument indexing in
> format strings. They always assume that the n-th conversion specification
> uses n-th argument and does not properly count real number of arguments
> used. Thus, arguments, whose index numbers are above the total number of
> conversion specifications, are not verified at all.

I'd like to point out that the Immunix FormatGuard tool (which provides
a similar protection against format string attacks as libsafe) is not
vulnerable to these kinds of attacks because it explicitly uses glibc's
parse_printf_format() to determine the number of arguments required for
a given format string -- parse_printf_format() is the same function that
glibc's *printf() functions use internally to parse arguments.

-- 
Steve Beattie                               Don't trust programmers? 
<steve@wirex.net>                         Complete StackGuard distro at
http://NxNW.org/~steve/                            immunix.org
http://www.personaltelco.net -- overthrowing QWest, one block at a time.