Sorry, my response became detached from the original thread somehow. On Wed, Mar 5, 2008 at 4:29 PM, David Judais <[EMAIL PROTECTED]> wrote:
> Why isn't there a patch? > > > From: [EMAIL PROTECTED] > > > Site: http://www.vashnukad.com > > Application: Linux Kiss Server v1.2 > > Type: Format strings > > Priority: Medium > > Patch available: No > > > The Linux Kiss Server contains a format strings vulnerability that, if run > in foreground mode, can be leveraged for access. The vulnerability is > demonstrated in the code below: > > Function log_message(): > > if(background_mode == 0) > > { > > if(type == 'l') > > fprintf(stdout,log_msg); > > > if(type == 'e') > > fprintf(stderr,log_msg); > > free(log_msg); > > } > > > > > Function kiss_parse_cmd(): > > > > /* check full command name */ > > if (strncmp(cmd, buf, cmd_len)) > > { > > asprintf(&log_msg,"unknow command: `%s'", buf); > > log_message(log_msg,'e'); > > goto error; > > } > > buf += cmd_len; > > > > So putting something like %n%n%n in 'buf' you can trigger the > vulnerability. > > > -- > > Name: Vashnukad > > E-mail: [EMAIL PROTECTED] > > Site: http://www.vashnukad.com > > > > > -- > > Name: Vashnukad > > e-mail: [EMAIL PROTECTED] > > Site: http://www.vashnukad.com > >
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
