BugTraq
Back to list
|
Post reply
zkfingerd-2.0.2(the last version)Format String Vulnerabilities
Jul 08 2003 06:33AM
yan feng (jsk ph4nt0m net)
========================================
Ph4nt0m Security Advisory 2#2003--7-7
========================================
Title: zkfingerd-2.0.2(the last version)Format String Vulnerabilities
Advisory Number : SRT2003-7-7-002
Product : zkfingerd
Version : 2.0.2 (possibility All versions )
Vendor : http://sourceforge.net/projects/zkfingerd
Class : Local&remote
Criticality : high
Operating System(s) : *nix
************************************************************************
***
**
high Level Description : Format String Vulnerabilities in syslog()
fprintf()
************************************************************************
***
**
Technical Details
************************************************************************
zkfingerd-r3-0.9 could be remote exploitable,the last versions 2.0.2 also
has a bug for Format String Vulnerabilities
code find in src/die.c(_finger_error):107
.........................................
_finger_error(int options, char *function, char *file,
int line, char *msg, ...)
{
va_list ap;
va_start(ap, msg);
chomp(msg);
#ifdef DEBUG
if(options & DEBUG_ERROR)
fprintf(stdout, "DBG %s:%s:%d: ", function, file, line);
else
#endif
if(!(options & QUIET_ERROR))
fprintf(stdout, "< ");
if(strchr(msg, '%') != NULL && !ap)
{
if(!(options & QUIET_ERROR))
fprintf(stdout, msg); .....................point
(msg could be provided by us)
#ifndef NO_SYSLOG
syslog(LOG_CRIT,
msg); .............................possibile
#endif
}
else
{
if(!(options & QUIET_ERROR))
vfprintf(stdout, msg, ap);
#ifndef NO_SYSLOG
vsyslog(LOG_CRIT, msg, ap);
#endif
}
if(!(options & QUIET_ERROR))
{
#ifdef DEBUG
fprintf(stdout, "%s\r\n",
(!(options & DEBUG_ERROR)) ? " >" : "");
#else
fprintf(stdout, " >\r\n");
#endif
}
va_end(ap);
fflush(stdout);
if(options & FATAL_ERROR)
exit(1);
return;
}
so It is possible to corrupt memory by passing format strings through the
vulnerable function. This may potentially be exploited to overwrite
arbitrary locations in memory with attacker-specified values.
I am studying codes ,i will prodive how to attack &exploit......
........................................................................
...
......................
************************************************************************
***
**********************
By "jsk" (akun), in ph4nt0m.net(c) Security.
E-mail:jsk (at) ph4nt0m (dot) net [email concealed]
ph4nt0m Security Home: http://www.ph4nt0m.net
My World: http://jsk.njsafe.com
My GnuPG Public Key:http://202.119.104.82/webeq/app/jsk/jsk.asc
[ reply ]
Privacy Statement
Copyright 2010, SecurityFocus
========================================
Ph4nt0m Security Advisory 2#2003--7-7
========================================
Title: zkfingerd-2.0.2(the last version)Format String Vulnerabilities
Advisory Number : SRT2003-7-7-002
Product : zkfingerd
Version : 2.0.2 (possibility All versions )
Vendor : http://sourceforge.net/projects/zkfingerd
Class : Local&remote
Criticality : high
Operating System(s) : *nix
************************************************************************
***
**
high Level Description : Format String Vulnerabilities in syslog()
fprintf()
************************************************************************
***
**
Technical Details
************************************************************************
zkfingerd-r3-0.9 could be remote exploitable,the last versions 2.0.2 also
has a bug for Format String Vulnerabilities
code find in src/die.c(_finger_error):107
.........................................
_finger_error(int options, char *function, char *file,
int line, char *msg, ...)
{
va_list ap;
va_start(ap, msg);
chomp(msg);
#ifdef DEBUG
if(options & DEBUG_ERROR)
fprintf(stdout, "DBG %s:%s:%d: ", function, file, line);
else
#endif
if(!(options & QUIET_ERROR))
fprintf(stdout, "< ");
if(strchr(msg, '%') != NULL && !ap)
{
if(!(options & QUIET_ERROR))
fprintf(stdout, msg); .....................point
(msg could be provided by us)
#ifndef NO_SYSLOG
syslog(LOG_CRIT,
msg); .............................possibile
#endif
}
else
{
if(!(options & QUIET_ERROR))
vfprintf(stdout, msg, ap);
#ifndef NO_SYSLOG
vsyslog(LOG_CRIT, msg, ap);
#endif
}
if(!(options & QUIET_ERROR))
{
#ifdef DEBUG
fprintf(stdout, "%s\r\n",
(!(options & DEBUG_ERROR)) ? " >" : "");
#else
fprintf(stdout, " >\r\n");
#endif
}
va_end(ap);
fflush(stdout);
if(options & FATAL_ERROR)
exit(1);
return;
}
so It is possible to corrupt memory by passing format strings through the
vulnerable function. This may potentially be exploited to overwrite
arbitrary locations in memory with attacker-specified values.
I am studying codes ,i will prodive how to attack &exploit......
........................................................................
...
......................
************************************************************************
***
**********************
By "jsk" (akun), in ph4nt0m.net(c) Security.
E-mail:jsk (at) ph4nt0m (dot) net [email concealed]
ph4nt0m Security Home: http://www.ph4nt0m.net
My World: http://jsk.njsafe.com
My GnuPG Public Key:http://202.119.104.82/webeq/app/jsk/jsk.asc
[ reply ]