'Re: Format strings: bugs #3 & #4: ISC-dhcpd, ucd-snmp'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       bugtraq
Subject:    Re: Format strings: bugs #3 & #4: ISC-dhcpd, ucd-snmp
From:       Paul Murphy <Paul.Murphy () GEMINI-GENOMICS ! COM>
Date:       2000-09-30 21:36:52
[Download RAW message or body]

Chris Evans concluded from the output of GREP:

>More format string bugs. Exploitability on these has not really been
>researched. Current feeling is "maybe exploitable under certain
>circumstances/configurations".
>./common/errwarn.c:  syslog (log_priority | LOG_ERR, mbuf);
>./common/errwarn.c:  syslog (LOG_CRIT, "exiting.");
>./common/errwarn.c:  syslog (log_priority | LOG_ERR, mbuf);
>./common/errwarn.c:  syslog (log_priority | LOG_INFO, mbuf);
>./common/errwarn.c:  syslog (log_priority | LOG_DEBUG, mbuf);
>./common/errwarn.c:     syslog (log_priority | LOG_ERR, mbuf);
>./common/errwarn.c:     syslog (log_priority | LOG_ERR, token_line);

Given that syslog() can be fooled by passing it user input which contains
format characters, indescriminate use of syslog with untrusted buffers is a very
bad idea.

However, by investigating further, it becomes apparent that all of the buffers
passed to syslog within the DHCP server are either static, or use variables
which are under the full control of the program.  The only details which come
from an external source are taken from the configuration file, which is only
accessible by root anyway.

Unless Chris can show that one of these variables can be influenced in some way
which causes a security problem, its a non-issue.  Without proving that such a
problem exists, its worse than identifying a real security problem, since it
maligns software which is actually pretty well written, and may cause a loss of
confidence in it.

Finally, I'd be interested to know whether Chris contacted ISC or Ted Lemon
before posting.  Most people on the list seem to prefer the vendor having some
chance of issuing a patch before the news of a potential security problem goes
public.

Best Wishes,

Paul.

-----------------------------------------------------------------------------
Paul Murphy - Head of I.T., Gemini Genomics
162 Science Park, Cambridge CB4 0GH
Tel. 01223 435305 Fax. 01223 435301
http://www.gemini-genomics.com/


_______________________________________________________________________
DISCLAIMER:
This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to which they
are addressed.  If you have received this email in error please contact
the Gemini I.T helpdesk on : +44 (0) 1223 435333
_______________________________________________________________________

[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic