Date: Sun, 25 Jun 2000 23:44:23 -0700 (PDT) From: "tjk@tksoft.com" <tjk@tksoft.com> To: wes@softweyr.com (Wes Peters) Cc: dima@rdy.com, y-koga@jp.FreeBSD.org, wollman@khavrinen.lcs.mit.edu, silby@silby.com, freebsd-security@FreeBSD.ORG Subject: Re: Fwd: WuFTPD: Providing *remote* root since at least1994 Message-ID: <200006260644.XAA15576@uno.tksoft.com> In-Reply-To: <3956D5A3.1C2E8D06@softweyr.com> from "Wes Peters" at Jun 25, 0 10:01:39 pm
next in thread | previous in thread | raw e-mail | index | archive | help
The bottom line is that the wu-ftpd bug is caused by a line of code
which uses a user supplied string as the format string passed to
printf(). printf is: int printf(const char *, ...), where
the first argument is the format string. If the format string
is supplied by the user, then the function can do unintended
things.
Troy
>
> Dima Ruban wrote:
> >
> > Wes Peters writes:
> > > Dima Ruban wrote:
> > > >
> > > > What's the purpose of this patch?
> > > > I didn't look at the code, but to me it sounds like it's pretty much
> > > > irrelevant whether you gonna use ``foo(fmt, string)'' or ``foo(string)''
> > >
> > > If string contains formatting codes, foo("%s", string) does the right
> > > thing and just puts out the formatting codes in the string. foo(string)
> > > tries to interpret the embedded format codes and blows the stack.
> > >
> >
> > Well, if in addition to "fmt" argument, string will contain formatting code[s],
> > the result will be just the same. (at least with printf() family).
>
> Since when did printf try to interpret formatting codes within an argument
> string? In fact, it does not:
>
> wes@homer$ cat foo.c
> main()
> {
> char *s = "This is a %s string.\n";
>
> printf("\nWith format string:\n");
> printf("%s", s);
>
> printf("\nWithout format string:\n");
> printf(s);
> }
> wes@homer$ ./foo
>
> With format string:
> This is a %s string.
>
> Without format string:
> This is a This is a %s string.
> string.
>
> Notice the second output is scrambled, as printf apparently finds a
> pointer to the string on the stack and prints it within itself. Oops.
> As you can see, the first printf using the %s code worked fine.
>
> --
> "Where am I, and what am I doing in this handbasket?"
>
> Wes Peters Softweyr LLC
> wes@softweyr.com http://softweyr.com/
>
>
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-security" in the body of the message
>
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200006260644.XAA15576>