I have not yet notified the vendors. -- Name: Vashnukad e-mail: [EMAIL PROTECTED] Site: http://www.vashnukad.com
> On 3/5/08, David Judais <[EMAIL PROTECTED]> wrote: > > Why isn't there a patch? > > > > > From: [EMAIL PROTECTED] > > > > > Site: http://www.vashnukad.com > > > > Application: Linux Kiss Server v1.2 > > > > Type: Format strings > > > > Priority: Medium > > > > Patch available: No > > > > > > The Linux Kiss Server contains a format strings vulnerability that, if run > > in foreground mode, can be leveraged for access. The vulnerability is > > demonstrated in the code below: > > > > Function log_message(): > > > > if(background_mode == 0) > > > > { > > > > if(type == 'l') > > > > fprintf(stdout,log_msg); > > > > > > if(type == 'e') > > > > fprintf(stderr,log_msg); > > > > free(log_msg); > > > > } > > > > > > > > > > Function kiss_parse_cmd(): > > > > > > > > /* check full command name */ > > > > if (strncmp(cmd, buf, cmd_len)) > > > > { > > > > asprintf(&log_msg,"unknow command: `%s'", buf); > > > > log_message(log_msg,'e'); > > > > goto error; > > > > } > > > > buf += cmd_len; > > > > > > > > So putting something like %n%n%n in 'buf' you can trigger the > vulnerability. > > > > > > -- > > > > Name: Vashnukad > > > > E-mail: [EMAIL PROTECTED] > > > > Site: http://www.vashnukad.com > > > > > > > > > > -- > > > > Name: Vashnukad > > > > e-mail: [EMAIL PROTECTED] > > > > Site: http://www.vashnukad.com > > > _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
