AutoNice Daemon Program Name Format String Vulnerability

AutoNice Daemon (AND) is a freely available, open source software package designed to limit the activity of system processes. It provides features such as killing a process that has exceeded specific memory or processor resources.

AND is vulnerable to a format string bug in process names. A process named with format strings will allow the execution of arbitrary code when AND attempts to kill it.

This could allow a local user to write to arbitrary sections of process memory, including the return address, and execute code as root.


Privacy Statement
Copyright 2010, SecurityFocus