![[LWN Logo]](/images/lcorner.png) |
|
![[LWN.net]](/images/Included.png) |
Date: Fri, 23 Mar 2001 16:38:19 +0100
From: Wojtek Pawlikowski <vvega@LIDERLINK.NET>
Subject: another format string bug
To: BUGTRAQ@SECURITYFOCUS.COM
There is a format string bug in 'pwc' (ftp://ftp.media-com.com.pl/pub/other/pwc.tar.gz).
This CGI script is used to change users password via www (blah!).
writelog() call syslog() function, which 'eats' ;) characters and log it
to system logs. But you can paste shellcode into buffers[512] and syslog()
will run it without any problems.
void writelog(const char *fmt, ...)
{
va_list args;
char buffers[512];
va_start(args, fmt);
openlog(SERVICENAME, LOG_PID | LOG_CONS | LOG_NOWAIT | LOG_AUTH);
vsnprintf(buffer, 512, fmt, args);
syslog(LOG_ERR, buffer); <- bug :)
closelog();
return;
va_end(args);
}
As you can see this is potential security bug.
Patch:
change
syslog(LOG_ERR, buffer);
to
syslog(LOG_ERR, "%s", buffer);
greetz: #sigsegv, #phreakpl, #argante
-------------------------------------------------------------------
Wojtek Pawlikowski <wojtek@liderlink.net> Linux / BSD Administrator
Cell 0608521666 || Registered Linux User 198985 || Have a nice trip