At 09:08 20/11/00 -0500, Rick Murphy wrote:
>> I don't see where the buf parm can be exploited. all pmsg calls are
>> either with an "internal" buffer or
>>with one that was sprintf-ed in. so even passing a display of "%s" hoping
>>for a core dump doesn't do.
>
>An invalid display argument is a string that looks like a valid display,
>but has a screen number that's out of range. What happens then is a buffer
>in x-gw's main() function gets built with an error message using sprintf
>using the parsed display argument:
>
> if( (pid=atoi(dpy+len+1)) < 0 || pid>(toport-BASE_PORT) ) {
> sprintf(buf,"Invalid display=%s. Must be 0-100\n",dpy+len+1);
> pmsg(buf,0);
> goto out;
> }
>'len' points to the ":" in the display string in this case.
>If you use "-disp xxx:9999%s", it ends up in the string passed to pmsg(),
>which displays an error message using fprintf(stderr, buf). That causes a
>core dump for me.
That's what I tried, but it odesn't do anything on gcc/FreeBSD. maybe does
it do bad on cc/solaris or so?
(I've been lazy to try it on solaris/cc...:).
If it's a problem, then there is o fix unless to modify sprintf and
friends. indeed, if "%s" gets
interpreted, then "%%s", "%%%s", ... get you wherever you want!
so, the only problem I see is related to OS/compiler implementations of
*printf* functions...
>I note with some amusement that the original advisory said there'd be an
>exploit posted on the geekgang website <http://www.geekgang.co.uk>; as far
>as I can tell, there's nothing there (literally).
That's the problem with today's announcements. They are uncontrolled.
People get listend to not because they say the
truth or they deserve it, but because they know how to suck... The worst is
that many think they're doing it for the benefit
of the human race. They simply don't know how many bad things hve been done
for the "benefit of the humanity"...
cheers,
mouss
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
