Hi,
I agree with Olaf. Both format strings and buffer overflow in Rotor.cpp
could allow user-assisted remote attackers to execute arbitrary code, if
flightgear's users download material (aircraft, airports, etc) from an
untrusted web page or even an e-mail. Take a look of a vulnerability I
found before which is very similar:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-4620
No to mention the buffer overflow in SGSocketUDP (simgear) which could be
exploitable by networks packets, without user assistance.
Something important to note is that not every sprintf is vulnerable, so
there is no need to change them all, but just those which are vulnerable.
Also It is true that flightgear is supposed to run in user's context but
very often user and administrative context are used as the same, specially
in windows. Anyway always can exist a way to scale privileges ;)
Here an example of format string exploitation and privilege escalation:
http://www.vnsecurity.net/2012/02/exploiting-sudo-format-string-vunerability/
Regards.
Andres Gomez
2012/3/20 Olaf Flebbe <f...@oflebbe.de>
> Hi Torsten,
>
> I am quite sure Flightgear has remote exploitable bugs.
>
> Think about social attack vectors like custom sceneries, special interest
> aircraft models. And the multiplayer protocol, or the httpd server ....
> Running malicious code in user context is bad enough...
>
> Olaf
>
>
> >
> > This is low priority, because the possible code injection can only
> > happen by the user itself and usually not over the (inter)net. And
> > FlightGear is supposed to run in the user's context which should add
> > some extra safety. (Never run fgfs as root or Administrator!)
> >
>
>
>
> ------------------------------------------------------------------------------
> This SF email is sponsosred by:
> Try Windows Azure free for 90 days Click Here
> http://p.sf.net/sfu/sfd2d-msazure
> _______________________________________________
> Flightgear-devel mailing list
> Flightgear-devel@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/flightgear-devel
>
--
--
AVISO DE CONFIDENCIALIDAD:
Esta transmisión se entiende para uso del destinatario o la entidad a la
que va dirigida y puede contener información confidencial o protegida por
la ley. Si el lector de este mensaje no fuera el destinatario, considérese
por este medio informado que la retención, difusión, o copia de este correo
electrónico está estrictamente prohibida. Si recibe este mensaje por error,
por favor notifique inmediatamente al emisor y destruya el original. Gracias
--
CONFIDENTIALITY NOTICE:
This transmission is intended for the use of the individual or entity to
which it is addressed, and it may contain information that is confidential
or privileged under law. If the reader of this message is not the intended
recipient, you are hereby notified that retention, dissemination,
distribution or copying of this e-mail is strictly prohibited. If you
received this e-mail in error, please notify the sender immediately and
destroy the original. Thank you.
------------------------------------------------------------------------------
This SF email is sponsosred by:
Try Windows Azure free for 90 days Click Here
http://p.sf.net/sfu/sfd2d-msazure
_______________________________________________
Flightgear-devel mailing list
Flightgear-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/flightgear-devel
