|
Hi,
INTRO
-----
Welcome to a short series of security bugs, all involving mistakes with
"user supplied format strings". This class of bug is very popular on
Bugtraq at the moment, so what an ideal time for a few examples.
BSD-lpr
-------
If we look into
lpr/lpd/printjob.c, we can find the following two lines of code
if ((s = checkremote()))
syslog(LOG_WARNING, s);
This is a classic format string mistake.
It may not be exploitable, because the failure strings returned by
checkremote() in lpr/common_source/common.c, do not contain much data that
a user could control.
However, it illustrates that format string bugs creep in everywhere, even
in code that gets syslog() calls correct the majority of the time, as is
the case with BSD-lpr.
Fix
---
OpenBSD ship BSD-lpr. Not only have they already fixed this in their CVS,
but they also offer web indexed CVS. They caught it independently as part
of their "format strings" audit.
http://www.openbsd.org/cgi-bin/cvsweb/src/usr.sbin/lpr/lpd/printjob.c?r1=1.19&
r2=1.20
Conclusion
----------
The next format string bug in the series will be much more interesting.
Cheers
Chris
|
