Home page logo
/

bugtraq logo Bugtraq mailing list archives

Re: Format String Attacks
From: Dan Astoorian <djast () CS TORONTO EDU>
Date: Wed, 13 Sep 2000 13:29:45 -0400

On Wed, 13 Sep 2000 11:09:58 EDT, Doug Hughes writes:
Since I don't recall anybody else posting one, here is a simple, generic,
setuid wrapper that people could use around, for instance, /usr/bin/eject
or other setuid programs.

[...]

      if ((origfile = (char *) malloc(strlen(argv[0])+6)) == NULL) {
              perror("allocating memory");
              exit(1);
      }

Note that perror() itself may perform localization on some platforms and
under some circumstances (e.g., if compiled with -lintl under Solaris).

I don't know whether it's exploitable in practice, but it appears to me
as though this wrapper could suffer, at least theoretically, from the
same weakness as the programs it's trying to protect.

--                          People shouldn't think that it's better to have
Dan Astoorian               loved and lost than never loved at all.  It's
Sysadmin, CSLab             not, it's better to have loved and won.  All
djast () cs toronto edu        the other options really suck.    --Dan Redican


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault