mailing list archives
Re: Format strings: bug #1: BSD-lpr
From: Jouko Pynn?nen <jouko () ENVIRO SOLUTIONS FI>
Date: Wed, 27 Sep 2000 13:23:48 +0300
On Tue, 26 Sep 2000, Chris Evans wrote:
Welcome to a short series of security bugs, all involving mistakes with
"user supplied format strings". This class of bug is very popular on
Bugtraq at the moment, so what an ideal time for a few examples.
If we look into
lpr/lpd/printjob.c, we can find the following two lines of code
if ((s = checkremote()))
This is a classic format string mistake.
It may not be exploitable, because the failure strings returned by
checkremote() in lpr/common_source/common.c, do not contain much data that
a user could control.
Correct me if I'm wrong, but in this case there is no user supplied
format string involved at all. This is in fact a mistake with
"administrator supplied format string". I looked at this few months ago
and came to the conclusion that to exploit this, the user should be able
to modify /etc/printcap where the hostnames come from (ie. have root
access), or make gethostname() return a format string, which is impossible
as well unless you already have root access.
This "bug" is certainly an example of some bad coding conventions, but it
is not exploitable under any imagineable circumstances. There have already
been, and there will be more than enough of alerts and advisories without
false alarms like this, right?
Jouko Pynnönen Online Solutions Ltd Secure your Linux -
jouko () solutions fi http://www.secmod.com