On Tue, May 17, 2011 at 4:26 PM, Murray S. Kucherawy wrote:
> There was some other macro expansion mechanism in there that was unchecked.
> It wasn't a typical printf-style expansion but it did cause file accesses and
> the like, meaning user-provided data could cause unauthorized file system
Ah, I stand corrected. At least part of the problem was indeed varargs related.
The interesting thing is I saw some traffic on the exim users list that also
had to do with such things causing file accesses. Could be just a coincidence,
but somehow I don't think so...
_
Hector Santos wrote:
> Jeff Macdonald wrote:
>
>>> Passing an unchecked string as a printf format is an ancient unix bug.
>>
>> Ah, so vargs type stuff. Still, I'll have to run it through a debugger
>> myself to understand. I would think one would have a loop of some
>> sort. I would of thought i
Jeff Macdonald wrote:
>> Passing an unchecked string as a printf format is an ancient unix bug.
>
> Ah, so vargs type stuff. Still, I'll have to run it through a debugger
> myself to understand. I would think one would have a loop of some
> sort. I would of thought if there were no args it would
On Tue, May 17, 2011 at 5:40 PM, John R. Levine wrote:
>> How can:
>>
>> log_write(0, LOG_MAIN, (char *)logmsg)
>>
>> be used to arbitrarily inject code? I understand the concept, but
>> having % in the logmsg with no parameters to feed it seems harmless to
>> me.
>
> It took random junk off the s
> -Original Message-
> From: dkim-ops-boun...@mipassoc.org [mailto:dkim-ops-boun...@mipassoc.org] On
> Behalf Of Jeff Macdonald
> Sent: Tuesday, May 17, 2011 1:48 PM
> To: MH Michael Hammer (5304)
> Cc: dkim-ops@mipassoc.org
> Subject: Re: [dkim-ops] FW: how can use
Jeff Macdonald wrote:
> Ok, I'll bite.
>
> How can:
>
> log_write(0, LOG_MAIN, (char *)logmsg)
>
> be used to arbitrarily inject code? I understand the concept, but
> having % in the logmsg with no parameters to feed it seems harmless to
> me.
It depends. The devil is in the details of how log_
Ok, I'll bite.
How can:
log_write(0, LOG_MAIN, (char *)logmsg)
be used to arbitrarily inject code? I understand the concept, but
having % in the logmsg with no parameters to feed it seems harmless to
me.
On Tue, May 17, 2011 at 10:43 AM, MH Michael Hammer (5304)
wrote:
> Thought this might be
Thought this might be of passing interest to the list.
http://www.h-online.com/security/news/item/Critical-hole-in-the-Exim-Mai
l-server-closed-1239543.html
Mike
___
dkim-ops mailing list
dkim-ops@mipassoc.org
http://mipassoc.org/mailman/li
