From owner-freebsd-security  Thu Sep  7 13:48:27 2000
Delivered-To: freebsd-security@freebsd.org
Received: from nenya.ms.mff.cuni.cz (nenya.ms.mff.cuni.cz [195.113.17.179])
	by hub.freebsd.org (Postfix) with ESMTP id 6EC3B37B423
	for <freebsd-security@FreeBSD.ORG>; Thu,  7 Sep 2000 13:48:23 -0700 (PDT)
Received: from localhost (mencl@localhost)
	by nenya.ms.mff.cuni.cz (8.9.3+Sun/8.9.1) with ESMTP id WAA00866;
	Thu, 7 Sep 2000 22:48:08 +0200 (MET DST)
Date: Thu, 7 Sep 2000 22:48:08 +0200 (MET DST)
From: "Vladimir Mencl, MK, susSED" <mencl@nenya.ms.mff.cuni.cz>
To: Warner Losh <imp@village.org>
Cc: freebsd-security@FreeBSD.ORG
Subject: Re: UNIX locale format string vulnerability (fwd) 
In-Reply-To: <200009071618.e87GIOG16223@billy-club.village.org>
Message-ID: <Pine.GSO.4.10.10009072241190.845-100000@nenya.ms.mff.cuni.cz>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

On Thu, 7 Sep 2000, Warner Losh wrote:

> In message <Pine.GSO.4.10.10009071250210.25945-100000@nenya.ms.mff.cuni.cz> "Vladimir Mencl, MK, susSED" writes:
> : I allowed a user to run '/bin/ls -l /' as root - a simple test.
> : 
> : /bin/ls did respond to both LC_ALL and PATH_LOCALE (by providing a
> : localized date/time formatting) even when invoked via
> : sudo. That would be sufficient to use the vulnerability, I suppose.
> 
> Did it allow you to read a file in PATH_LOCALE that otherwise it
> wouldn't have?  Are there buffer overflows that this could exploit?
> Are there infomation leaks that you could force with this?  What,
> specifically, is the problem here?

I have not tried reading a file I would not have permision, that is not
something I could use the locales for - unless the file was in the
format used by locales. I do not think that this mechanism could be used
for arbitrary files.

The point is, that if I submitted an evil locale - especially, a locale
containing formatting strings with "%n"s, and generally with a lot of
weird formatting characters, I could potentially make that sudo-run
program execute arbitrary code provided by me - that's what the original
bugtraq advisory was about, and what I claim that with sudo can be
exploited on FreeBSD too.

However, the vulnerability is not a buffer overflow, it's only a
not-properly-checked format string, and creating an exploit only using
"%n"s would be a really ugly hard work, and I would be trying to avoid
doing it at any cost....


		Best regards and good night

				Vladimir Mencl



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message