From owner-freebsd-security  Thu Sep  7 14:19: 9 2000
Delivered-To: freebsd-security@freebsd.org
Received: from freefall.freebsd.org (freefall.FreeBSD.org [216.136.204.21])
	by hub.freebsd.org (Postfix) with ESMTP
	id 2CE1B37B422; Thu,  7 Sep 2000 14:19:06 -0700 (PDT)
Received: from localhost (kris@localhost)
	by freefall.freebsd.org (8.9.3/8.9.2) with ESMTP id OAA12952;
	Thu, 7 Sep 2000 14:19:06 -0700 (PDT)
	(envelope-from kris@FreeBSD.org)
X-Authentication-Warning: freefall.freebsd.org: kris owned process doing -bs
Date: Thu, 7 Sep 2000 14:19:06 -0700 (PDT)
From: Kris Kennaway <kris@FreeBSD.org>
To: Warner Losh <imp@village.org>
Cc: "Vladimir Mencl, MK, susSED" <mencl@nenya.ms.mff.cuni.cz>,
	freebsd-security@FreeBSD.ORG, security-officer@FreeBSD.ORG,
	millert@openbsd.org
Subject: Re: UNIX locale format string vulnerability (fwd) 
In-Reply-To: <200009071618.e87GIOG16223@billy-club.village.org>
Message-ID: <Pine.BSF.4.21.0009071356030.8316-100000@freefall.freebsd.org>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

On Thu, 7 Sep 2000, Warner Losh wrote:

> In message <Pine.GSO.4.10.10009071250210.25945-100000@nenya.ms.mff.cuni.cz> "Vladimir Mencl, MK, susSED" writes:
> : I allowed a user to run '/bin/ls -l /' as root - a simple test.
> : 
> : /bin/ls did respond to both LC_ALL and PATH_LOCALE (by providing a
> : localized date/time formatting) even when invoked via
> : sudo. That would be sufficient to use the vulnerability, I suppose.
> 
> Did it allow you to read a file in PATH_LOCALE that otherwise it
> wouldn't have?  Are there buffer overflows that this could exploit?
> Are there infomation leaks that you could force with this?  What,
> specifically, is the problem here?

If a program contains format string vulnerabilities which are used in
conjunction with retrieved locale data then they can be exploited. I don't
believe we have any more of these bugs in the base system as of 4.1, but
some ports certainly do.

It may also be possible to read bits of an arbitrary file accessible to
that user which would be displayed where the localized text is used,
although I don't know how much sanity checking the locale functions do of
their file input (i.e. whether a malformed file will be rejected with an
error message, or if it will still be interpreted somehow and spat out)

Again, the problem here is with sudo, not with something that comes in
FreeBSD.

Kris

--
In God we Trust -- all others must submit an X.509 certificate.
    -- Charles Forsythe <forsythe@alum.mit.edu>



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message