Date: Thu, 7 Sep 2000 23:42:44 +0200 (MET DST) From: "Vladimir Mencl, MK, susSED" <mencl@nenya.ms.mff.cuni.cz> To: Warner Losh <imp@village.org> Cc: freebsd-security@FreeBSD.ORG, millert@openbsd.org Subject: Re: UNIX locale format string vulnerability (fwd) Message-ID: <Pine.GSO.4.10.10009072305440.845-100000@nenya.ms.mff.cuni.cz> In-Reply-To: <200009072059.OAA05785@harmony.village.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, 7 Sep 2000, Warner Losh wrote: > In message <Pine.GSO.4.10.10009072241190.845-100000@nenya.ms.mff.cuni.cz> "Vladimir Mencl, MK, susSED" writes: > : The point is, that if I submitted an evil locale - especially, a locale > : containing formatting strings with "%n"s, and generally with a lot of > : weird formatting characters, I could potentially make that sudo-run > : program execute arbitrary code provided by me - that's what the original > : bugtraq advisory was about, and what I claim that with sudo can be > : exploited on FreeBSD too. > > Ah. I see your point. This is a generic problem then. However, it > is a problem with sudo (which is why I keep adding millert back to the > list of CC'd people). It likely isn't a big problem for reasons I > explained earlier. sudo isn't inteded to be a bulletproof way to give > users the ability to execute N listed commands, as many of those may > have sub commands. Todd can take a stand on this more accuragely. I had always considered sudo such a tool. Unless you explicitely allow variable command-line for the commands executed, only the exact arguments specified on the command-line in the sudoers file may be passed. With respect to the two most recent posts: 1) Yes, I'm worried about exploits using %n. That's what the original bugtraq post was worried about 2) Yes, the solution is that sudo must strip the NLS variables. Vladimir Mencl To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.GSO.4.10.10009072305440.845-100000>