Skip site navigation (1)Skip section navigation (2)
Date:      8 Sep 2000 01:53:05 -0300
From:      =?iso-8859-1?Q?Iv=E1n?= Arce <core.lists.freebsd-security@core-sdi.com>
To:        freebsd-security@freebsd.org
Subject:   Re: UNIX locale format string vulnerability (fwd)
Message-ID:  <39B81932.F5832679@core-sdi.com>
References:  <Pine.GSO.4.10.10009072241190.845-100000@nenya.ms.mff.cuni.cz> <200009072059.OAA05785@harmony.village.org>

next in thread | previous in thread | raw e-mail | index | archive | help


Warner Losh wrote:
> 
> In message <Pine.GSO.4.10.10009072241190.845-100000@nenya.ms.mff.cuni.cz> "Vladimir Mencl, MK, susSED" writes:
> : The point is, that if I submitted an evil locale - especially, a locale
> : containing formatting strings with "%n"s, and generally with a lot of
> : weird formatting characters, I could potentially make that sudo-run
> : program execute arbitrary code provided by me - that's what the original
> : bugtraq advisory was about, and what I claim that with sudo can be
> : exploited on FreeBSD too.
> 
> Ah.  I see your point.  This is a generic problem then.  However, it
> is a problem with sudo (which is why I keep adding millert back to the
> list of CC'd people).  It likely isn't a big problem for reasons I
> explained earlier.  sudo isn't inteded to be a bulletproof way to give
> users the ability to execute N listed commands, as many of those may
> have sub commands.  Todd can take a stand on this more accuragely.
> 
> : However, the vulnerability is not a buffer overflow, it's only a
> : not-properly-checked format string, and creating an exploit only using
> : "%n"s would be a really ugly hard work, and I would be trying to avoid
> : doing it at any cost....
> 
> Hmmmm.  Maybe this could be done.  The proper fix isn't to fix sudo,
> of course, but rather to ensure that sufficient arguments are present
> to consume the % chars and if not to not do anything.

No, the proper fix is to 
 1. Ensure that SUID programs dont follow user directives of where
   to take messages with catgets() from. (This is done on
   FreeBSD base system)
 
AND

 2. to ensure that unchecked user suplied data is not passed
    to printf() functions as the fmt argument.

    If instead of doing printf(catgets("foo")) you
    do printf("%s",catgets("foo")) the problem does not appear.


Adding checks to GLIBC (like vendors did) solves the problem but that
can not replace writing secure code in the first place.

The thing is, just the fact that printf() consumes all its arguments
does
not guarantee that the program will behave as expected if someone plays
with the format string, in fact  changing "%s%s%s" to "%s%n%n" will take
the same number of arguments but the results are quite different.
is it exploitable? dunno, depends on the particular program, but one
thing is clear, it will not do what it is expected to do

-ivan


-- 
"Understanding. A cerebral secretion that enables one having it to know
 a house from a horse by the roof on the house,
 It's nature and laws have been exhaustively expounded by Locke,
 who rode a house, and Kant, who lived in a horse." - Ambrose Bierce


==================[ CORE Seguridad de la Informacion S.A. ]=========
Iván Arce
Presidente
PGP Fingerprint: C7A8 ED85 8D7B 9ADC 6836  B25D 207B E78E 2AD1 F65A
email   : iarce@core-sdi.com
http://www.core-sdi.com
Pte. Juan D. Peron 315 Piso 4 UF 17
1038 Capital Federal
Buenos Aires, Argentina.              Tel/Fax : +(54-11) 4331-5402
Casilla de Correos 877 (1000) Correo Central
=====================================================================

--- For a personal reply use iarce@core-sdi.com


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?39B81932.F5832679>