Re: [Full-disclosure] Vulnerability in Linux Kiss Server v1.2
I have not yet notified the vendors. -- Name: Vashnukad e-mail: [EMAIL PROTECTED] Site: http://www.vashnukad.com > On 3/5/08, David Judais <[EMAIL PROTECTED]> wrote: > > Why isn't there a patch? > > > > > From: [EMAIL PROTECTED] > > > > > Site: http://www.vashnukad.com > > > > Application: Linux Kiss Server v1.2 > > > > Type: Format strings > > > > Priority: Medium > > > > Patch available: No > > > > > > The Linux Kiss Server contains a format strings vulnerability that, if run > > in foreground mode, can be leveraged for access. The vulnerability is > > demonstrated in the code below: > > > > Function log_message(): > > > > if(background_mode == 0) > > > > { > > > > if(type == 'l') > > > > fprintf(stdout,log_msg); > > > > > > if(type == 'e') > > > > fprintf(stderr,log_msg); > > > > free(log_msg); > > > > } > > > > > > > > > > Function kiss_parse_cmd(): > > > > > > > > /* check full command name */ > > > > if (strncmp(cmd, buf, cmd_len)) > > > > { > > > > asprintf(&log_msg,"unknow command: `%s'", buf); > > > > log_message(log_msg,'e'); > > > > goto error; > > > > } > > > > buf += cmd_len; > > > > > > > > So putting something like %n%n%n in 'buf' you can trigger the > vulnerability. > > > > > > -- > > > > Name: Vashnukad > > > > E-mail: [EMAIL PROTECTED] > > > > Site: http://www.vashnukad.com > > > > > > > > > > -- > > > > Name: Vashnukad > > > > e-mail: [EMAIL PROTECTED] > > > > Site: http://www.vashnukad.com > > > ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Vulnerability in Linux Kiss Server v1.2
Sorry, my response became detached from the original thread somehow. On Wed, Mar 5, 2008 at 4:29 PM, David Judais <[EMAIL PROTECTED]> wrote: > Why isn't there a patch? > > > From: [EMAIL PROTECTED] > > > Site: http://www.vashnukad.com > > Application: Linux Kiss Server v1.2 > > Type: Format strings > > Priority: Medium > > Patch available: No > > > The Linux Kiss Server contains a format strings vulnerability that, if run > in foreground mode, can be leveraged for access. The vulnerability is > demonstrated in the code below: > > Function log_message(): > > if(background_mode == 0) > > { > > if(type == 'l') > > fprintf(stdout,log_msg); > > > if(type == 'e') > > fprintf(stderr,log_msg); > > free(log_msg); > > } > > > > > Function kiss_parse_cmd(): > > > > /* check full command name */ > > if (strncmp(cmd, buf, cmd_len)) > > { > > asprintf(&log_msg,"unknow command: `%s'", buf); > > log_message(log_msg,'e'); > > goto error; > > } > > buf += cmd_len; > > > > So putting something like %n%n%n in 'buf' you can trigger the > vulnerability. > > > -- > > Name: Vashnukad > > E-mail: [EMAIL PROTECTED] > > Site: http://www.vashnukad.com > > > > > -- > > Name: Vashnukad > > e-mail: [EMAIL PROTECTED] > > Site: http://www.vashnukad.com > > ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Vulnerability in Linux Kiss Server v1.2
Why isn't there a patch? > From: [EMAIL PROTECTED] > Site: http://www.vashnukad.com Application: Linux Kiss Server v1.2 Type: Format strings Priority: Medium Patch available: No The Linux Kiss Server contains a format strings vulnerability that, if run in foreground mode, can be leveraged for access. The vulnerability is demonstrated in the code below: Function log_message(): if(background_mode == 0) { if(type == 'l') fprintf(stdout,log_msg); if(type == 'e') fprintf(stderr,log_msg); free(log_msg); } Function kiss_parse_cmd(): /* check full command name */ if (strncmp(cmd, buf, cmd_len)) { asprintf(&log_msg,"unknow command: `%s'", buf); log_message(log_msg,'e'); goto error; } buf += cmd_len; So putting something like %n%n%n in 'buf' you can trigger the vulnerability. -- Name: Vashnukad E-mail: [EMAIL PROTECTED] Site: http://www.vashnukad.com -- Name: Vashnukad e-mail: [EMAIL PROTECTED] Site: http://www.vashnukad.com ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Vulnerability in Linux Kiss Server v1.2
From: [EMAIL PROTECTED] Site: http://www.vashnukad.com Application: Linux Kiss Server v1.2 Type: Format strings Priority: Medium Patch available: No The Linux Kiss Server contains a format strings vulnerability that, if run in foreground mode, can be leveraged for access. The vulnerability is demonstrated in the code below: Function log_message(): if(background_mode == 0) { if(type == 'l') fprintf(stdout,log_msg); if(type == 'e') fprintf(stderr,log_msg); free(log_msg); } Function kiss_parse_cmd(): /* check full command name */ if (strncmp(cmd, buf, cmd_len)) { asprintf(&log_msg,"unknow command: `%s'", buf); log_message(log_msg,'e'); goto error; } buf += cmd_len; So putting something like %n%n%n in 'buf' you can trigger the vulnerability. -- Name: Vashnukad E-mail: [EMAIL PROTECTED] Site: http://www.vashnukad.com ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/