Re: Unreal ircd Format String Vuln

From: Syzop (syzat_private)
Date: Mon Feb 25 2002 - 19:07:21 PST

Next message: Ehud Tenenbaum: "Re: elm bug ver 2.5.3 maybe others. (not suid on linux but suid on other OS.)"

Previous message: Matt Conover: "w00bind claims false"
In reply to: Gabriel A. Maggiotti: "Unreal ircd Format String Vuln"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi,

"Gabriel A. Maggiotti" wrote:

> Unreal3.1.1 has a format string vuln in Cio_PrintF(...) function.
> This function is in /src/cio_main.c file
>
> Piece of code:
>
>         va_start(argptr, InBuf);
>         Len = vsprintf(Buffer, InBuf, argptr);
>         va_end(argptr);
>
> The problem is with InBuf, if %p.%p.%p.%n is written in InBuf a segfault
> is produced, the program crashes when it tries to copy the value of eax
> to the address of edx.

Are you talking about:
BOOL Cio_PrintF(HWND hWnd, char *InBuf, ...)
{
[..]
        va_start(argptr, InBuf);
        Len = vsprintf(Buffer, InBuf, argptr);
        va_end(argptr);

??
Then I think you are wrong because it's the purpose of that function (see
glibc documentation for example for va_* stuff).
Ofcourse if the function Cio_PrintF is called with user input in InBuf we have a problem.
BTW I've never seen that function before and I don't see it used anywere but I might be
wrong (I never look at the windows part of the UnrealIrcd source).

Please use Unreal3.2 (beta6 currently) instead, Unreal3.1.2 has some serious bugs.

    Bram Matthys (1% UnrealIrcd coder)

PS: Please report bugs to codersat_private

Next message: Ehud Tenenbaum: "Re: elm bug ver 2.5.3 maybe others. (not suid on linux but suid on other OS.)"
Previous message: Matt Conover: "w00bind claims false"
In reply to: Gabriel A. Maggiotti: "Unreal ircd Format String Vuln"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue Feb 26 2002 - 02:21:21 PST