Formatstring Vulnerability in decfingerd 0.7

From: isox (isoxat_private)
Date: Tue Jun 25 2002 - 03:12:27 PDT

Next message: FBE FBE: "DoS_Browser"

Previous message: Mark Lastdrager: "Remote buffer overflow in resolver code of libc"
Next in thread: isox: "Formatstring Vulnerability in decfingerd 0.7"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hello all,

I have no idea if this is the most current version of this application, I 
found it while browsing packetstormsecurity earlier.  For all I know it may 
not even be kept current anymore.

Anyhow... bad call to syslog() is the culprit.  I'm to lazy to code an 
exploit for this at the moment but it should be fairly trivial to do if 
anyone is interested in the task:


Culprit code: decfingerd.c

int main(void):
         char input[20], message[100];


         fgets(input, sizeof(input), stdin);

         sprintf(message, "Client %s requested info for %s\n", remoteIP, 
input);
         syslog(0, message, sizeof(message));



Have a good one,
isox

---
- isoxat_private
- http://0xc0ffee.com
---

Next message: FBE FBE: "DoS_Browser"
Previous message: Mark Lastdrager: "Remote buffer overflow in resolver code of libc"
Next in thread: isox: "Formatstring Vulnerability in decfingerd 0.7"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed Jun 26 2002 - 16:55:28 PDT