('binary' encoding is not supported, stored as-is) In-Reply-To: <20030708063317.8474.qmailat_private> went through the zkfingerd-2.0.2 source after reading this. curious on exploitation :)... anyways, i am not seeing anywheres in the source where the "msg" buffer can allow for direct user input(formats). only static data/proper formats(including ones that look bad, but still are just static data in a buffer). in all the die(), warn(), and putlog() functions, which use the _fingerd_error() function. maybe i am just not seeing it? but, i looked a couple times. inform me if i am misinformed about it. :/ Vade79 -> fakehalo.deadpig.org -> fakehalo. >Received: (qmail 26972 invoked from network); 8 Jul 2003 19:44:25 -0000 >Received: from outgoing2.securityfocus.com (205.206.231.26) > by mail.securityfocus.com with SMTP; 8 Jul 2003 19:44:25 -0000 >Received: from lists.securityfocus.com (lists.securityfocus.com [205.206.231.19]) > by outgoing2.securityfocus.com (Postfix) with QMQP > id 3C3C88F6CB; Tue, 8 Jul 2003 13:43:46 -0600 (MDT) >Mailing-List: contact bugtraq-helpat_private; run by ezmlm >Precedence: bulk >List-Id: <bugtraq.list-id.securityfocus.com> >List-Post: <mailto:bugtraqat_private> >List-Help: <mailto:bugtraq-helpat_private> >List-Unsubscribe: <mailto:bugtraq-unsubscribeat_private> >List-Subscribe: <mailto:bugtraq-subscribeat_private> >Delivered-To: mailing list bugtraqat_private >Delivered-To: moderator for bugtraqat_private >Received: (qmail 3468 invoked from network); 8 Jul 2003 06:34:56 -0000 >Date: 8 Jul 2003 06:33:17 -0000 >Message-ID: <20030708063317.8474.qmailat_private> >Content-Type: text/plain >Content-Disposition: inline >Content-Transfer-Encoding: binary >MIME-Version: 1.0 >X-Mailer: MIME-tools 5.411 (Entity 5.404) >From: yan feng <jskat_private> >To: bugtraqat_private >Subject: zkfingerd-2.0.2(the last version)Format String Vulnerabilities > > > > ======================================== > Ph4nt0m Security Advisory 2#2003--7-7 > ======================================== > Title: zkfingerd-2.0.2(the last version)Format String Vulnerabilities > > Advisory Number : SRT2003-7-7-002 > Product : zkfingerd > Version : 2.0.2 (possibility All versions ) > Vendor : http://sourceforge.net/projects/zkfingerd > Class : Local&remote > Criticality : high > Operating System(s) : *nix > > > >************************************************************************** * >** > high Level Description : Format String Vulnerabilities in syslog() >fprintf() > > >************************************************************************** * >** > > Technical Details > ************************************************************************ > zkfingerd-r3-0.9 could be remote exploitable,the last versions 2.0.2 also >has a bug for Format String Vulnerabilities > code find in src/die.c(_finger_error):107 > ......................................... >_finger_error(int options, char *function, char *file, > int line, char *msg, ...) >{ > va_list ap; > > va_start(ap, msg); > > chomp(msg); > >#ifdef DEBUG > if(options & DEBUG_ERROR) > fprintf(stdout, "DBG %s:%s:%d: ", function, file, line); > else >#endif > if(!(options & QUIET_ERROR)) > fprintf(stdout, "< "); > > if(strchr(msg, '%') != NULL && !ap) > { > if(!(options & QUIET_ERROR)) > fprintf(stdout, msg); .....................point >(msg could be provided by us) >#ifndef NO_SYSLOG > syslog(LOG_CRIT, >msg); .............................possibile >#endif > } > else > { > if(!(options & QUIET_ERROR)) > vfprintf(stdout, msg, ap); > >#ifndef NO_SYSLOG > vsyslog(LOG_CRIT, msg, ap); >#endif > } > > if(!(options & QUIET_ERROR)) > { >#ifdef DEBUG > fprintf(stdout, "%s\r\n", > (!(options & DEBUG_ERROR)) ? " >" : ""); >#else > fprintf(stdout, " >\r\n"); >#endif > } > > va_end(ap); > > fflush(stdout); > > if(options & FATAL_ERROR) > exit(1); > > return; >} > > >so It is possible to corrupt memory by passing format strings through the >vulnerable function. This may potentially be exploited to overwrite >arbitrary locations in memory with attacker-specified values. > > >I am studying codes ,i will prodive how to attack &exploit...... > > > >.......................................................................... . >...................... > >************************************************************************** * >********************** >By "jsk" (akun), in ph4nt0m.net(c) Security. > >E-mail:jskat_private > >ph4nt0m Security Home: http://www.ph4nt0m.net >My World: http://jsk.njsafe.com >My GnuPG Public Key:http://202.119.104.82/webeq/app/jsk/jsk.asc >
This archive was generated by hypermail 2b30 : Wed Jul 09 2003 - 10:03:53 PDT