On Wed, Dec 05, 2001 at 12:36:09PM -0800, Blue Boar wrote: > > .. now they fixed it to be: > > syslog("lookup screwed for: %s\n", userdata); > > ... > > So if someone has written a bad syslog implementation, then the format > string will get sent to the syslogd, and potentially exploit that? it is not "bad syslog implementation". If it is a standard syslog function implementation (which is part of libc by the way) which supports '%n' and similar arguments, and if format string is affected by user supplied data, it could be exploitable. (not only syslog, which i used as example but a bunch of other functions too. There were some papers published on fmt bugs exploitation. Please refer to those for more details ;-)) > > Just seems to me that the statd code should use a smaller buffer, > or strip out some characters, or something that wouldn't put > such a scary entry into the log files. :) > I guess 63(?) characters is the hostname max length according to RFC. So it is probably statd messup/overlook not to chop it. (although I doubt it would make much harm in this case).. -- http://www.notlsd.net PGP fingerprint = 56DD 1511 DDDA 56D7 99C7 B288 5CE5 A713 0969 A4D1
This archive was generated by hypermail 2b30 : Wed Dec 05 2001 - 13:11:51 PST