From: Steve Beattie <steve@wirex.net> To: bugtraq@securityfocus.com, vulnwatch@vulnwatch.org Subject: Re: [VulnWatch] Bypassing libsafe format string protection Date: Wed, 20 Mar 2002 10:24:18 -0800 Cc: Wojciech Purczynski <cliph@isec.pl>, security@isec.pl, immunix-announce@wirex.com On Wed, Mar 20, 2002 at 11:35:04AM +0100, Wojciech Purczynski wrote: > 1. > > Libsafe protection against format string exploits may be easily bypassed > using flag characters that are implemented in glibc but are not > implemented in libsafe. > > 2. > > Libsafe *printf function wrappers incorrectly parse argument indexing in > format strings. They always assume that the n-th conversion specification > uses n-th argument and does not properly count real number of arguments > used. Thus, arguments, whose index numbers are above the total number of > conversion specifications, are not verified at all. I'd like to point out that the Immunix FormatGuard tool (which provides a similar protection against format string attacks as libsafe) is not vulnerable to these kinds of attacks because it explicitly uses glibc's parse_printf_format() to determine the number of arguments required for a given format string -- parse_printf_format() is the same function that glibc's *printf() functions use internally to parse arguments. -- Steve Beattie Don't trust programmers? <steve@wirex.net> Complete StackGuard distro at http://NxNW.org/~steve/ immunix.org http://www.personaltelco.net -- overthrowing QWest, one block at a time.