Date: Tue, 26 Sep 2000 00:58:39 +0100 Subject: Format strings: Summary and rant To: BUGTRAQ@SECURITYFOCUS.COM Hi, The previous messages describing various format string bugs were found in a single evening. Each bug was discovered by executing the following command across an unpacked source tree: find . -name \*.c | xargs grep syslog | less No, it it not a comprehensive test for format string bugs (it misses *printf* family, as well as stuff not in .c files, etc). The point is that a trivial and almost automated effort found some serious bugs. We have to assume that crackers have a little stockpile of non-public format string exploits from simple greps like the above. This stockpile needs to be eroded ASAP. Personally, if I were in a team responsibile for a widely deployed piece of internet server software, I would have been very very scared by the initial format string discovery in wu-ftpd. I would have performed an immediate check of my software for similar bugs. It would not have taken long to perform this check. Are you involved in the maintenance of any server software? If so, please check your code for format strings bugs, or someone like me will "make you famous" on bugtraq. As a user of internet server software, feel free to ask the maintenance team if they have auditied their software for this class of flaw. Cheers Chris