Faulty,
Just because there's a *printf function called from the code
doesn't mean it's vuln. They'd have to overwrite data somewhere by possible
mis-use of the function(s). I do not know which flavor of Unix this is
from, so I'm unabel to look over the source code at those lines specified.
Perhaps you need to look at them and see if they don't use any
format strings and instead just pass variables -- that's always a tell-tale
sign :)
Brandon E. Erhart
At 02:19 AM 1/26/2003, Faultyat_private www.b0f.net wrote:
>Hello while doing a scan for format strings vulns on util-linux package
>it came back with the following results.
>
>./login.c:398 FUNC fprintf
>./login.c:425 FUNC fprintf
>./login.c:597 FUNC fprintf
>./login.c:614 FUNC fprintf
>./login.c:775 FUNC printf
>./login.c:796 FUNC fprintf
>./login.c:800 FUNC fprintf
>./login.c:1109 FUNC syslog
>./login.c:1119 FUNC printf
>./login.c:1127 FUNC fprintf
>./login.c:1183 FUNC fprintf
>./login.c:1190 FUNC fprintf
>./login.c:1201 FUNC fprintf
>
>./passwd.c:161 FUNC printf
>./passwd.c:174 FUNC printf
>./passwd.c:175 FUNC printf
>./passwd.c:176 FUNC printf
>./passwd.c:181 FUNC printf
>./passwd.c:186 FUNC printf
>./passwd.c:197 FUNC printf
>./passwd.c:204 FUNC printf
>./passwd.c:222 FUNC printf
>./passwd.c:223 FUNC printf
>./passwd.c:277 FUNC fprintf
>./passwd.c:316 FUNC printf
>./passwd.c:323 FUNC printf
>./passwd.c:331 FUNC printf
>./passwd.c:401 FUNC syslog
>./passwd.c:410 FUNC printf
>./passwd.c:414 FUNC printf
>./passwd.c:420 FUNC printf
>
>There is also a few other on other programs but i thought these 2 would
>be most important since passwd is suid and login could be exploited
>remotly. I am not very experianced in format strings any help/commets
>would be great. Would these be able to get exploited?
>
>Regards
>
>Faultyat_private
>
>www.b0f.net
This archive was generated by hypermail 2b30 : Mon Jan 27 2003 - 09:10:40 PST