Full Disclosure: Re: Vulnerability in Linux Kiss Server v1.2

Re: Vulnerability in Linux Kiss Server v1.2

From: "vashnukad vashnukad" <vashnukad1 () gmail com>
Date: Fri, 7 Mar 2008 16:05:02 -0500

I have not yet notified the vendors.

--
Name: Vashnukad
e-mail: vashnukad () vashnukad com
Site: http://www.vashnukad.com

On 3/5/08, David Judais <david.judais () googlemail com> wrote:

Why isn't there a patch?

From: vashnukad () vashnukad com

Site: http://www.vashnukad.com

Application: Linux Kiss Server v1.2

Type: Format strings

Priority: Medium

Patch available: No


The Linux Kiss Server contains a format strings vulnerability that, if run
in foreground mode, can be leveraged for access. The vulnerability is
demonstrated in the code below:

Function log_message():

if(background_mode == 0)

{

if(type == 'l')

fprintf(stdout,log_msg);


if(type == 'e')

fprintf(stderr,log_msg);

free(log_msg);

}




Function kiss_parse_cmd():



/* check full command name */

if (strncmp(cmd, buf, cmd_len))

{

asprintf(&log_msg,"unknow command: `%s'", buf);

log_message(log_msg,'e');

goto error;

}

buf += cmd_len;



So putting something like %n%n%n in 'buf' you can trigger the

vulnerability.



--

Name: Vashnukad

E-mail: vashnukad () vashnukad com

Site: http://www.vashnukad.com




--

Name: Vashnukad

e-mail: vashnukad () vashnukad com

Site: http://www.vashnukad.com


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

By Date By Thread

Current thread:

Vulnerability in Linux Kiss Server v1.2 vashnukad (Mar 05)
- <Possible follow-ups>
- Re: Vulnerability in Linux Kiss Server v1.2 David Judais (Mar 06)
  - Re: Vulnerability in Linux Kiss Server v1.2 David Judais (Mar 07)
  - Message not available
    - Re: Vulnerability in Linux Kiss Server v1.2 vashnukad vashnukad (Mar 07)