Skip site navigation (1)Skip section navigation (2)
Date:      Thu, 7 Sep 2000 14:19:06 -0700 (PDT)
From:      Kris Kennaway <kris@FreeBSD.org>
To:        Warner Losh <imp@village.org>
Cc:        "Vladimir Mencl, MK, susSED" <mencl@nenya.ms.mff.cuni.cz>, freebsd-security@FreeBSD.ORG, security-officer@FreeBSD.ORG, millert@openbsd.org
Subject:   Re: UNIX locale format string vulnerability (fwd) 
Message-ID:  <Pine.BSF.4.21.0009071356030.8316-100000@freefall.freebsd.org>
In-Reply-To: <200009071618.e87GIOG16223@billy-club.village.org>

next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, 7 Sep 2000, Warner Losh wrote:

> In message <Pine.GSO.4.10.10009071250210.25945-100000@nenya.ms.mff.cuni.cz> "Vladimir Mencl, MK, susSED" writes:
> : I allowed a user to run '/bin/ls -l /' as root - a simple test.
> : 
> : /bin/ls did respond to both LC_ALL and PATH_LOCALE (by providing a
> : localized date/time formatting) even when invoked via
> : sudo. That would be sufficient to use the vulnerability, I suppose.
> 
> Did it allow you to read a file in PATH_LOCALE that otherwise it
> wouldn't have?  Are there buffer overflows that this could exploit?
> Are there infomation leaks that you could force with this?  What,
> specifically, is the problem here?

If a program contains format string vulnerabilities which are used in
conjunction with retrieved locale data then they can be exploited. I don't
believe we have any more of these bugs in the base system as of 4.1, but
some ports certainly do.

It may also be possible to read bits of an arbitrary file accessible to
that user which would be displayed where the localized text is used,
although I don't know how much sanity checking the locale functions do of
their file input (i.e. whether a malformed file will be rejected with an
error message, or if it will still be interpreted somehow and spat out)

Again, the problem here is with sudo, not with something that comes in
FreeBSD.

Kris

--
In God we Trust -- all others must submit an X.509 certificate.
    -- Charles Forsythe <forsythe@alum.mit.edu>



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.21.0009071356030.8316-100000>