Hi,
I have found multiple format string vulnerabilities in Flightgear and
Simgear. This could allow an attacker to execute arbitrary code in a
Flightgear user's machine. This is possible because user controlled format
string is passed directly to printf family functions without any
validation. For example if I have an aircraft xml model with a section
like this:
<text>
<name>Registration</name>
<type type="string">text-value</type>
<property type="string">/sim/multiplay/callsign</property>
<format type="string">%s</format>
<draw-text type="bool">true</draw-text>
.
.
.
</text>
the format string "%s" in label
<format type="string">%s</format>
is passed directly to snprintf. This line can be changed for something like
"%s %s %s %s" which will make Flightgear to crash. Even more if "%n"
specifier* *is used, arbitrary code execution can be achieved. Until now I
have found this issue in the following files:
fgfs/flightgear/src/Cockpit/panel.cxx:1237
fgfs/flightgear/src/Cockpit/panel.cxx:1240
fgfs/flightgear/src/Cockpit/panel.cxx:1245
fgfs/flightgear/src/Network/generic.cxx:222
simgear/simgear/scene/model/SGText.cxx:72
simgear/simgear/scene/model/SGText.cxx:74
but others locations could also be affected. A solution for this bug would
be at least to validate that "n" specifier is not present in the format
string.
Regards,
Andrés Gómez
------------------------------------------------------------------------------
Virtualization & Cloud Management Using Capacity Planning
Cloud computing makes use of virtualization - but cloud computing
also focuses on allowing computing to be delivered as a service.
http://www.accelacomm.com/jaw/sfnl/114/51521223/
_______________________________________________
Flightgear-devel mailing list
Flightgear-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/flightgear-devel
