Package: yardradius Version: 1.1.2-4 Severity: critical ( security) Dear Maintainer,
Several Format String vulnerabilities was found in the latest `yardradius` version as explained further below : src/log.c : void log_msg(int priority,char *fmt, va_list args) { ... char buffer[1024]; ... vfprintf(msgfd, fmt, args); ... vsnprintf(buffer,1024,fmt, args); #if defined(HAVE_SYSLOG) syslog(priority, buffer); ... vsyslog(priority, fmt, args); ... } So an attacker can fill fmt by for ex. "%x" and see the addressess. ############ src/version.c : #define STRVER "%s : YARD Radius Server %s ... $ " void version(void) { char buffer[1024]; build_version(buffer,sizeof(buffer)); fprintf(stderr, buffer); exit(-1); } ... void build_version(char *bp,size_t sizeofbp) { snprintf(bp,sizeofbp-1,STRVER, progname, VERSION); .. $ ln -s radiusd %x $ ./%x -v ./b77c0ff4 : YARD Radius Server 1.1 ... It seems more of this type vulnerability exists in the source if i find any other bug i will file them ... if i can help in patching or anything , please let me know Thank you Hamid Zamani -- System Information: Debian Release: Kali Linux 1.0 Architecture: i386 (i686) Kernel: Linux 3.7-trunk-686-pae (SMP w/2 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages yardradius depends on: ii libc6 2.13-38 ii libgdbm3 1.8.3-11 ii libpam-runtime 1.1.3-7.1 ii libpam0g 1.1.3-7.1 yardradius recommends no packages. yardradius suggests no packages. -- no debconf information