From owner-freebsd-security  Thu Sep  7 14:43:20 2000
Delivered-To: freebsd-security@freebsd.org
Received: from nenya.ms.mff.cuni.cz (nenya.ms.mff.cuni.cz [195.113.17.179])
	by hub.freebsd.org (Postfix) with ESMTP id D6A2637B424
	for <freebsd-security@FreeBSD.ORG>; Thu,  7 Sep 2000 14:43:17 -0700 (PDT)
Received: from localhost (mencl@localhost)
	by nenya.ms.mff.cuni.cz (8.9.3+Sun/8.9.1) with ESMTP id XAA01127;
	Thu, 7 Sep 2000 23:42:44 +0200 (MET DST)
Date: Thu, 7 Sep 2000 23:42:44 +0200 (MET DST)
From: "Vladimir Mencl, MK, susSED" <mencl@nenya.ms.mff.cuni.cz>
To: Warner Losh <imp@village.org>
Cc: freebsd-security@FreeBSD.ORG, millert@openbsd.org
Subject: Re: UNIX locale format string vulnerability (fwd) 
In-Reply-To: <200009072059.OAA05785@harmony.village.org>
Message-ID: <Pine.GSO.4.10.10009072305440.845-100000@nenya.ms.mff.cuni.cz>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

On Thu, 7 Sep 2000, Warner Losh wrote:

> In message <Pine.GSO.4.10.10009072241190.845-100000@nenya.ms.mff.cuni.cz> "Vladimir Mencl, MK, susSED" writes:
> : The point is, that if I submitted an evil locale - especially, a locale
> : containing formatting strings with "%n"s, and generally with a lot of
> : weird formatting characters, I could potentially make that sudo-run
> : program execute arbitrary code provided by me - that's what the original
> : bugtraq advisory was about, and what I claim that with sudo can be
> : exploited on FreeBSD too.
> 
> Ah.  I see your point.  This is a generic problem then.  However, it
> is a problem with sudo (which is why I keep adding millert back to the
> list of CC'd people).  It likely isn't a big problem for reasons I
> explained earlier.  sudo isn't inteded to be a bulletproof way to give
> users the ability to execute N listed commands, as many of those may
> have sub commands.  Todd can take a stand on this more accuragely.

I had always considered sudo such a tool. Unless you explicitely allow
variable command-line for the commands executed, only the exact
arguments specified on the command-line in the sudoers file may be
passed.

With respect to the two most recent posts:

   1) Yes, I'm worried about exploits using %n. That's what the original
bugtraq post was worried about

   2) Yes, the solution is that sudo must strip the NLS variables.


			Vladimir Mencl



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message