[prev in list] [next in list] [prev in thread] [next in thread] 

List:       full-disclosure
Subject:    [Full-disclosure] Kiss Server v1.2
From:       "vashnukad vashnukad" <vashnukad1 () gmail ! com>
Date:       2008-03-30 19:24:19
Message-ID: c461be1b0803301224j3ab21641h245d886fcd2f7e7f () mail ! gmail ! com
[Download RAW message or body]

From: vashnukad@vashnukad.com
Site: http://www.vashnukad.com
Application: Linux Kiss Server v1.2
Type: Format strings
Priority: Medium
Patch available: No

The Linux Kiss Server contains a format strings vulnerability that, if
run in foreground mode, can be leveraged for access. The vulnerability
is demonstrated in the code below:
            Function log_message():
                  if(background_mode == 0)
                  {
                    if(type == 'l')
                      fprintf(stdout,log_msg);

                    if(type == 'e')
                      fprintf(stderr,log_msg);
                    free(log_msg);
                  }


            Function kiss_parse_cmd():


                  /* check full command name */
                  if (strncmp(cmd, buf, cmd_len))
                      {
                         asprintf(&log_msg,"unknow command: `%s'", buf);
                         log_message(log_msg,'e');
                         goto error;
                      }
                  buf += cmd_len;

So putting something like %n%n%n in 'buf' you can trigger the vulnerability.

--
Name: Vashnukad
e-mail: vashnukad@vashnukad.com
Site: http://www.vashnukad.com

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[prev in list] [next in list] [prev in thread] [next in thread]