Tim wrote:
+-----[ Description ]-----+

Format string vulnerability.


+-----[ Vulnerable Code ]-----+ From less-382:

[filename.c] : 787

   public char *
open_altfile(filename, pf, pfd)
   char *filename;
   int *pf;
   void **pfd;
{
   ...................
   if ((lessopen = lgetenv("LESSOPEN")) == NULL
   ...................
   sprintf(cmd, lessopen, filename); <-- Format String Problem Here
   ...................

}



I am sorry, I fail to see how this is a vulnerability.

If you have control of LESSOPEN, you already have shell, since, from the
man page:

"An input preprocessor is simply an executable program (or shell
script), which writes the  contents of the file to a different file,
called the replacement file.
...
To  set  up  an input  preprocessor, set the LESSOPEN environment
variable to a command line which will invoke your  input  preprocessor."


Perhaps it would be better written if the LESSOPEN parser only allowed %s to work, as advertized, and not the other sprintf codes, but it really isn't a security issue (unless I am totally missing something). If you are really worried about it, add the -L option when running less, and it will ignore LESSOPEN.

cheers,
tim


Yes , thank you for correction. It is a bug not a vulnerability.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Reply via email to