Home page logo
/

bugtraq logo Bugtraq mailing list archives

Re: format string bug in muh
From: Kris Kennaway <kris () FREEBSD ORG>
Date: Sat, 9 Sep 2000 21:39:51 -0700

On Sat, 9 Sep 2000, Maxime Henrion wrote:

The latest version, 2.05d (and probably other versions...) is
vulnerable to a format string bug which can be used to make muh crash
and probably to gain the privileges of the user running muh. Since
I've not seen this in the bugtraq archive, I post it.

Actually there were a couple of other bad-looking ones I just patched in
FreeBSD:

--- src/muh.c.orig      Sun Mar 19 04:08:27 2000
+++ src/muh.c   Sat Sep  9 21:32:15 2000
@@ -575,7 +575,7 @@
                 if( strcmp( param2 + 2, "USERINFO\1" ) == 0 )
                     irc_notice( &c_server, nick, USERINFOREPLY );
                 if( strncmp( param2 + 2, "PING", 4 ) == 0 ) {
-                    if( strlen( param2 + 1 ) > 6 ) irc_notice( &c_server, nick, param2 + 1 );
+                    if( strlen( param2 + 1 ) > 6 ) irc_notice( &c_server, nick, "%s", param2 + 1 );
                 }
                 if( strcmp( param2 + 2, "CLIENTINFO\1" ) == 0 )
                     irc_notice( &c_server, nick, CLIENTINFOREPLY );
@@ -591,7 +591,7 @@
         }
         else { /* normale message/notice */
             if( !is_ignore( hostname, IGNORE_MESSAGE ) && status.allowreply ) {
-                if( cfg.awaynotice ) irc_notice( &c_server, nick, cfg.awaynotice );
+                if( cfg.awaynotice ) irc_notice( &c_server, nick, "%s", cfg.awaynotice );
                 add_ignore( hostname, 120, IGNORE_MESSAGE );
                 status.allowreply = 0;
                 timers.reply = 0;
@@ -841,7 +841,7 @@
             s = ( char * )malloc( 1024 );
             while( fgets( s, 1023, messagelog ) ) {
                 if( s[ strlen( s ) - 1 ] == '\n' ) s[ strlen( s ) - 1 ] = 0;
-                irc_notice( &c_client, status.nickname, s );
+                irc_notice( &c_client, status.nickname, "%s", s );
             }
             FREESTRING( s );

Kris


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]