Bugtraq: Re: Format String Attacks

[Dan Harkless <dan-bugtraq () DILVISH SPEED NET>]

Dan Harkless <dan-bugtraq () DILVISH SPEED NET> writes:
> Sorry, yet another revision of this script is now available (probably the
> last change to be made).  This probably isn't necessary anywhere, but just
> to be extra-paranoid, I changed the syscall error reporting to just print
> the numeric errno rather than trusting strerror() to not do anything bogus.
> I also changed the clearing of the environment variable(s) to be done
> manually (using main()'s third parameter) rather than trusting putenv().
>
> Since the new version should be functionally identical to the last one, I
> won't waste more bandwidth by posting this rev.  If you'd like it, you can
> get it from:
>
>     http://harkless.org/dan/software/wrap_setid_progs_with_envar_clearer
Heh.  Sorry, realized a minor problem with my script driving home last
night.  In -u mode, the script unwrapped any setid programs that had the
".wrapper_due_to_envar_security_hole" extension.

Not safe to trust that all such files were created by the script, though.
In a +w +t directory like /tmp, a user could trick
wrap_setid_progs_with_envar_clearer -u into clobbering another user's file
by creating a fake (setid-self) wrapper.

I changed the script so that for each file, it asks whether it should be
unwrapped, just like in the non -u mode.  The script is available from the
URL above.

----------------------------------------------------------------------
Dan Harkless                   | To prevent SPAM contamination, please
dan-bugtraq () dilvish speed net  | do not mention this private email
SpeedGate Communications, Inc. | address in Usenet posts.  Thank you.