Re: [Full-disclosure] Vulnerability in Linux Kiss Server v1.2

David Judais Wed, 05 Mar 2008 23:07:11 -0800

Why isn't there a patch?

> From: [EMAIL PROTECTED]
>
Site: http://www.vashnukad.com


Application: Linux Kiss Server v1.2

Type: Format strings

Priority: Medium

Patch available: No


The Linux Kiss Server contains a format strings vulnerability that, if run
in foreground mode, can be leveraged for access. The vulnerability is
demonstrated in the code below:

            Function log_message():

                  if(background_mode == 0)

                  {

                    if(type == 'l')

                      fprintf(stdout,log_msg);


                    if(type == 'e')

                      fprintf(stderr,log_msg);

                    free(log_msg);

                  }




            Function kiss_parse_cmd():



                  /* check full command name */

                  if (strncmp(cmd, buf, cmd_len))

                      {

                         asprintf(&log_msg,"unknow command: `%s'", buf);

                         log_message(log_msg,'e');

                         goto error;

                      }

                  buf += cmd_len;



So putting something like %n%n%n in 'buf' you can trigger the vulnerability.


-- 

Name: Vashnukad

E-mail: [EMAIL PROTECTED]

Site: http://www.vashnukad.com




-- 

Name: Vashnukad

e-mail: [EMAIL PROTECTED]

Site: http://www.vashnukad.com

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Vulnerability in Linux Kiss Server v1.2

Reply via email to