Re: format bugs, in addition to the wuftpd bug

[chris () FERRET LMH OX AC UK (Chris Evans)]

H D Moore wrote:

> I spent some time last weekend going over a handful of
> daemons/priviledged programs that I suspected had issues with formatting
> characters in user-supplied data. I will not release the names of
> affected programs yet as I am waiting for thier maintainers to get back
> to me, but I would like to cover a seemingly-unknown security issue with
> passing user-defined fields to the syslog function:

Bugtraq is a full disclosure mailing list; why not mention the daemons.
All your message will achieve is that all the Black Hats have reached for
"grep".

Based on your assertion that such flaws exist, I consider the following
"obvious" to find, so I have no problems with posting it here

> From sources on my RedHat Linux 6.1 machine:

gdm:

daemon/misc.c: lots of "syslog (LOG_ERR, s)"
gui/{gdmchooser,gdmlogin}.c: similar flaws

rpc.statd:

statd/log.c: syslog(level, buffer)

I look forward to your final report - I bet this issue is widespread. I
also bet we're still discovering these flaws in a few years time, just
like we are with buffer overflows now :-(

Cheers
Chris