Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

bugtraq logo Bugtraq mailing list archives

Re: Format String Attacks
From: Casper Dik <Casper.Dik () HOLLAND SUN COM>
Date: Fri, 15 Sep 2000 09:15:45 +0200
Note that perror() itself may perform localization on some platforms and
under some circumstances (e.g., if compiled with -lintl under Solaris).


perror() is always localized; -lintl isn't an actual library since
Solaris 2.5 when it was merged into libc.


I don't know whether it's exploitable in practice, but it appears to me
as though this wrapper could suffer, at least theoretically, from the
same weakness as the programs it's trying to protect.



That one isn't; no printf is involved in perror().
(It's gettext(strerror(errno)) written with write)


Of course, there are two other gaping holes in the wrapper, so
that point is a bit moot.

asper

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]