Home page logo

bugtraq logo Bugtraq mailing list archives

Re: Format strings: bug #1: BSD-lpr
From: Jouko Pynn?nen <jouko () ENVIRO SOLUTIONS FI>
Date: Wed, 27 Sep 2000 13:23:48 +0300

On Tue, 26 Sep 2000, Chris Evans wrote:

Welcome to a short series of security bugs, all involving mistakes with
"user supplied format strings". This class of bug is very popular on
Bugtraq at the moment, so what an ideal time for a few examples.


If we look into

lpr/lpd/printjob.c, we can find the following two lines of code

        if ((s = checkremote()))
                syslog(LOG_WARNING, s);

This is a classic format string mistake.

It may not be exploitable, because the failure strings returned by
checkremote() in lpr/common_source/common.c, do not contain much data that
a user could control.

Correct me if I'm wrong, but in this case there is no user supplied
format string involved at all.  This is in fact a mistake with 
"administrator supplied format string". I looked at this few months ago
and came to the conclusion that to exploit this, the user should be able 
to modify /etc/printcap where the hostnames come from (ie. have root 
access), or make gethostname() return a format string, which is impossible
as well unless you already have root access.

This "bug" is certainly an example of some bad coding conventions, but it
is not exploitable under any imagineable circumstances. There have already
been, and there will be more than enough of alerts and advisories without
false alarms like this, right?

Jouko Pynnönen           Online Solutions Ltd       Secure your Linux -
jouko () solutions fi                                  http://www.secmod.com

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]