From owner-freebsd-security  Thu Sep  7 14: 0:16 2000
Delivered-To: freebsd-security@freebsd.org
Received: from rover.village.org (rover.village.org [204.144.255.49])
	by hub.freebsd.org (Postfix) with ESMTP id A9AF337B423
	for <freebsd-security@FreeBSD.ORG>; Thu,  7 Sep 2000 14:00:12 -0700 (PDT)
Received: from harmony.village.org (harmony.village.org [10.0.0.6])
	by rover.village.org (8.9.3/8.9.3) with ESMTP id PAA38874;
	Thu, 7 Sep 2000 15:00:05 -0600 (MDT)
	(envelope-from imp@harmony.village.org)
Received: from harmony.village.org (localhost.village.org [127.0.0.1]) by harmony.village.org (8.9.3/8.8.3) with ESMTP id OAA05785; Thu, 7 Sep 2000 14:59:55 -0600 (MDT)
Message-Id: <200009072059.OAA05785@harmony.village.org>
To: "Vladimir Mencl, MK, susSED" <mencl@nenya.ms.mff.cuni.cz>
Subject: Re: UNIX locale format string vulnerability (fwd) 
Cc: freebsd-security@FreeBSD.ORG, millert@openbsd.org
In-reply-to: Your message of "Thu, 07 Sep 2000 22:48:08 +0200."
		<Pine.GSO.4.10.10009072241190.845-100000@nenya.ms.mff.cuni.cz> 
References: <Pine.GSO.4.10.10009072241190.845-100000@nenya.ms.mff.cuni.cz>  
Date: Thu, 07 Sep 2000 14:59:55 -0600
From: Warner Losh <imp@village.org>
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

In message <Pine.GSO.4.10.10009072241190.845-100000@nenya.ms.mff.cuni.cz> "Vladimir Mencl, MK, susSED" writes:
: The point is, that if I submitted an evil locale - especially, a locale
: containing formatting strings with "%n"s, and generally with a lot of
: weird formatting characters, I could potentially make that sudo-run
: program execute arbitrary code provided by me - that's what the original
: bugtraq advisory was about, and what I claim that with sudo can be
: exploited on FreeBSD too.

Ah.  I see your point.  This is a generic problem then.  However, it
is a problem with sudo (which is why I keep adding millert back to the
list of CC'd people).  It likely isn't a big problem for reasons I
explained earlier.  sudo isn't inteded to be a bulletproof way to give
users the ability to execute N listed commands, as many of those may
have sub commands.  Todd can take a stand on this more accuragely.

: However, the vulnerability is not a buffer overflow, it's only a
: not-properly-checked format string, and creating an exploit only using
: "%n"s would be a really ugly hard work, and I would be trying to avoid
: doing it at any cost....

Hmmmm.  Maybe this could be done.  The proper fix isn't to fix sudo,
of course, but rather to ensure that sufficient arguments are present
to consume the % chars and if not to not do anything.

Warner


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message