Date: Thu, 7 Sep 2000 22:48:08 +0200 (MET DST) From: "Vladimir Mencl, MK, susSED" <mencl@nenya.ms.mff.cuni.cz> To: Warner Losh <imp@village.org> Cc: freebsd-security@FreeBSD.ORG Subject: Re: UNIX locale format string vulnerability (fwd) Message-ID: <Pine.GSO.4.10.10009072241190.845-100000@nenya.ms.mff.cuni.cz> In-Reply-To: <200009071618.e87GIOG16223@billy-club.village.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, 7 Sep 2000, Warner Losh wrote: > In message <Pine.GSO.4.10.10009071250210.25945-100000@nenya.ms.mff.cuni.cz> "Vladimir Mencl, MK, susSED" writes: > : I allowed a user to run '/bin/ls -l /' as root - a simple test. > : > : /bin/ls did respond to both LC_ALL and PATH_LOCALE (by providing a > : localized date/time formatting) even when invoked via > : sudo. That would be sufficient to use the vulnerability, I suppose. > > Did it allow you to read a file in PATH_LOCALE that otherwise it > wouldn't have? Are there buffer overflows that this could exploit? > Are there infomation leaks that you could force with this? What, > specifically, is the problem here? I have not tried reading a file I would not have permision, that is not something I could use the locales for - unless the file was in the format used by locales. I do not think that this mechanism could be used for arbitrary files. The point is, that if I submitted an evil locale - especially, a locale containing formatting strings with "%n"s, and generally with a lot of weird formatting characters, I could potentially make that sudo-run program execute arbitrary code provided by me - that's what the original bugtraq advisory was about, and what I claim that with sudo can be exploited on FreeBSD too. However, the vulnerability is not a buffer overflow, it's only a not-properly-checked format string, and creating an exploit only using "%n"s would be a really ugly hard work, and I would be trying to avoid doing it at any cost.... Best regards and good night Vladimir Mencl To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.GSO.4.10.10009072241190.845-100000>