Date: Thu, 07 Sep 2000 14:59:55 -0600 From: Warner Losh <imp@village.org> To: "Vladimir Mencl, MK, susSED" <mencl@nenya.ms.mff.cuni.cz> Cc: freebsd-security@FreeBSD.ORG, millert@openbsd.org Subject: Re: UNIX locale format string vulnerability (fwd) Message-ID: <200009072059.OAA05785@harmony.village.org> In-Reply-To: Your message of "Thu, 07 Sep 2000 22:48:08 %2B0200." <Pine.GSO.4.10.10009072241190.845-100000@nenya.ms.mff.cuni.cz> References: <Pine.GSO.4.10.10009072241190.845-100000@nenya.ms.mff.cuni.cz>
next in thread | previous in thread | raw e-mail | index | archive | help
In message <Pine.GSO.4.10.10009072241190.845-100000@nenya.ms.mff.cuni.cz> "Vladimir Mencl, MK, susSED" writes: : The point is, that if I submitted an evil locale - especially, a locale : containing formatting strings with "%n"s, and generally with a lot of : weird formatting characters, I could potentially make that sudo-run : program execute arbitrary code provided by me - that's what the original : bugtraq advisory was about, and what I claim that with sudo can be : exploited on FreeBSD too. Ah. I see your point. This is a generic problem then. However, it is a problem with sudo (which is why I keep adding millert back to the list of CC'd people). It likely isn't a big problem for reasons I explained earlier. sudo isn't inteded to be a bulletproof way to give users the ability to execute N listed commands, as many of those may have sub commands. Todd can take a stand on this more accuragely. : However, the vulnerability is not a buffer overflow, it's only a : not-properly-checked format string, and creating an exploit only using : "%n"s would be a really ugly hard work, and I would be trying to avoid : doing it at any cost.... Hmmmm. Maybe this could be done. The proper fix isn't to fix sudo, of course, but rather to ensure that sufficient arguments are present to consume the % chars and if not to not do anything. Warner To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200009072059.OAA05785>