zkfingerd-2.0.2(the last version)Format String Vulnerabilities

From: yan feng (jskat_private)
Date: Mon Jul 07 2003 - 23:33:17 PDT

Next message: tizio caio: "ZH2003-1SA (security advisory): Rockliffe Mailsite Express - mail attachments retrievable without proper authentication"

Previous message: Marc Bromm: "Information Disclosure Vulnerability in board51, forum51 and news51"
Next in thread: Vade 79: "Re: zkfingerd-2.0.2(the last version)Format String Vulnerabilities"
Reply: Vade 79: "Re: zkfingerd-2.0.2(the last version)Format String Vulnerabilities"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

('binary' encoding is not supported, stored as-is) ======================================== Ph4nt0m Security Advisory 2#2003--7-7 ======================================== Title: zkfingerd-2.0.2(the last version)Format String Vulnerabilities Advisory Number : SRT2003-7-7-002 Product : zkfingerd Version : 2.0.2 (possibility All versions ) Vendor : http://sourceforge.net/projects/zkfingerd Class : Local&remote Criticality : high Operating System(s) : *nix *************************************************************************** ** high Level Description : Format String Vulnerabilities in syslog() fprintf() *************************************************************************** ** Technical Details ************************************************************************ zkfingerd-r3-0.9 could be remote exploitable,the last versions 2.0.2 also has a bug for Format String Vulnerabilities code find in src/die.c(_finger_error):107 ......................................... _finger_error(int options, char *function, char *file, int line, char *msg, ...) { va_list ap; va_start(ap, msg); chomp(msg); #ifdef DEBUG if(options & DEBUG_ERROR) fprintf(stdout, "DBG %s:%s:%d: ", function, file, line); else #endif if(!(options & QUIET_ERROR)) fprintf(stdout, "< "); if(strchr(msg, '%') != NULL && !ap) { if(!(options & QUIET_ERROR)) fprintf(stdout, msg); .....................point (msg could be provided by us) #ifndef NO_SYSLOG syslog(LOG_CRIT, msg); .............................possibile #endif } else { if(!(options & QUIET_ERROR)) vfprintf(stdout, msg, ap); #ifndef NO_SYSLOG vsyslog(LOG_CRIT, msg, ap); #endif } if(!(options & QUIET_ERROR)) { #ifdef DEBUG fprintf(stdout, "%s\r\n", (!(options & DEBUG_ERROR)) ? " >" : ""); #else fprintf(stdout, " >\r\n"); #endif } va_end(ap); fflush(stdout); if(options & FATAL_ERROR) exit(1); return; } so It is possible to corrupt memory by passing format strings through the vulnerable function. This may potentially be exploited to overwrite arbitrary locations in memory with attacker-specified values. I am studying codes ,i will prodive how to attack &exploit...... ........................................................................... ...................... *************************************************************************** ********************** By "jsk" (akun), in ph4nt0m.net(c) Security. E-mail:jskat_private ph4nt0m Security Home: http://www.ph4nt0m.net My World: http://jsk.njsafe.com My GnuPG Public Key:http://202.119.104.82/webeq/app/jsk/jsk.asc

Next message: tizio caio: "ZH2003-1SA (security advisory): Rockliffe Mailsite Express - mail attachments retrievable without proper authentication"
Previous message: Marc Bromm: "Information Disclosure Vulnerability in board51, forum51 and news51"
Next in thread: Vade 79: "Re: zkfingerd-2.0.2(the last version)Format String Vulnerabilities"
Reply: Vade 79: "Re: zkfingerd-2.0.2(the last version)Format String Vulnerabilities"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue Jul 08 2003 - 13:39:56 PDT