Home page logo

bugtraq logo Bugtraq mailing list archives

Re: [VulnWatch] Bypassing libsafe format string protection
From: Steve Beattie <steve () wirex net>
Date: Wed, 20 Mar 2002 10:24:18 -0800

On Wed, Mar 20, 2002 at 11:35:04AM +0100, Wojciech Purczynski wrote:

Libsafe protection against format string exploits may be easily bypassed
using flag characters that are implemented in glibc but are not
implemented in libsafe. 


Libsafe *printf function wrappers incorrectly parse argument indexing in
format strings. They always assume that the n-th conversion specification
uses n-th argument and does not properly count real number of arguments
used. Thus, arguments, whose index numbers are above the total number of
conversion specifications, are not verified at all.

I'd like to point out that the Immunix FormatGuard tool (which provides
a similar protection against format string attacks as libsafe) is not
vulnerable to these kinds of attacks because it explicitly uses glibc's
parse_printf_format() to determine the number of arguments required for
a given format string -- parse_printf_format() is the same function that
glibc's *printf() functions use internally to parse arguments.

Steve Beattie                               Don't trust programmers? 
<steve () wirex net>                         Complete StackGuard distro at
http://NxNW.org/~steve/                            immunix.org
http://www.personaltelco.net -- overthrowing QWest, one block at a time.

Attachment: _bin

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]