mailing list archives
Re: [VulnWatch] Bypassing libsafe format string protection
From: Steve Beattie <steve () wirex net>
Date: Wed, 20 Mar 2002 10:24:18 -0800
On Wed, Mar 20, 2002 at 11:35:04AM +0100, Wojciech Purczynski wrote:
Libsafe protection against format string exploits may be easily bypassed
using flag characters that are implemented in glibc but are not
implemented in libsafe.
Libsafe *printf function wrappers incorrectly parse argument indexing in
format strings. They always assume that the n-th conversion specification
uses n-th argument and does not properly count real number of arguments
used. Thus, arguments, whose index numbers are above the total number of
conversion specifications, are not verified at all.
I'd like to point out that the Immunix FormatGuard tool (which provides
a similar protection against format string attacks as libsafe) is not
vulnerable to these kinds of attacks because it explicitly uses glibc's
parse_printf_format() to determine the number of arguments required for
a given format string -- parse_printf_format() is the same function that
glibc's *printf() functions use internally to parse arguments.
Steve Beattie Don't trust programmers?
<steve () wirex net> Complete StackGuard distro at
http://www.personaltelco.net -- overthrowing QWest, one block at a time.