On Wed, Dec 05, 2001 at 12:36:09PM -0800, Blue Boar wrote:
> > .. now they fixed it to be:
> > syslog("lookup screwed for: %s\n", userdata);
> > ...
>
> So if someone has written a bad syslog implementation, then the format
> string will get sent to the syslogd, and potentially exploit that?
it is not "bad syslog implementation". If it is a standard syslog
function implementation (which is part of libc by the way) which
supports '%n' and similar arguments, and if format string is affected by
user supplied data, it could be exploitable.
(not only syslog, which i used as example but a bunch of other functions
too. There were some papers published on fmt bugs exploitation. Please
refer to those for more details ;-))
>
> Just seems to me that the statd code should use a smaller buffer,
> or strip out some characters, or something that wouldn't put
> such a scary entry into the log files. :)
>
I guess 63(?) characters is the hostname max length according to RFC. So
it is probably statd messup/overlook not to chop it. (although I doubt
it would make much harm in this case)..
--
http://www.notlsd.net
PGP fingerprint = 56DD 1511 DDDA 56D7 99C7 B288 5CE5 A713 0969 A4D1
This archive was generated by hypermail 2b30 : Wed Dec 05 2001 - 13:11:51 PST