Date: Fri, 23 Mar 2001 16:38:19 +0100 From: Wojtek Pawlikowski <vvega@LIDERLINK.NET> Subject: another format string bug To: BUGTRAQ@SECURITYFOCUS.COM There is a format string bug in 'pwc' (ftp://ftp.media-com.com.pl/pub/other/pwc.tar.gz). This CGI script is used to change users password via www (blah!). writelog() call syslog() function, which 'eats' ;) characters and log it to system logs. But you can paste shellcode into buffers[512] and syslog() will run it without any problems. void writelog(const char *fmt, ...) { va_list args; char buffers[512]; va_start(args, fmt); openlog(SERVICENAME, LOG_PID | LOG_CONS | LOG_NOWAIT | LOG_AUTH); vsnprintf(buffer, 512, fmt, args); syslog(LOG_ERR, buffer); <- bug :) closelog(); return; va_end(args); } As you can see this is potential security bug. Patch: change syslog(LOG_ERR, buffer); to syslog(LOG_ERR, "%s", buffer); greetz: #sigsegv, #phreakpl, #argante ------------------------------------------------------------------- Wojtek Pawlikowski <wojtek@liderlink.net> Linux / BSD Administrator Cell 0608521666 || Registered Linux User 198985 || Have a nice trip