[prev in list] [next in list] [prev in thread] [next in thread]
List: full-disclosure
Subject: [Full-disclosure] Kiss Server v1.2
From: "vashnukad vashnukad" <vashnukad1 () gmail ! com>
Date: 2008-03-30 19:24:19
Message-ID: c461be1b0803301224j3ab21641h245d886fcd2f7e7f () mail ! gmail ! com
[Download RAW message or body]
From: vashnukad@vashnukad.com
Site: http://www.vashnukad.com
Application: Linux Kiss Server v1.2
Type: Format strings
Priority: Medium
Patch available: No
The Linux Kiss Server contains a format strings vulnerability that, if
run in foreground mode, can be leveraged for access. The vulnerability
is demonstrated in the code below:
Function log_message():
if(background_mode == 0)
{
if(type == 'l')
fprintf(stdout,log_msg);
if(type == 'e')
fprintf(stderr,log_msg);
free(log_msg);
}
Function kiss_parse_cmd():
/* check full command name */
if (strncmp(cmd, buf, cmd_len))
{
asprintf(&log_msg,"unknow command: `%s'", buf);
log_message(log_msg,'e');
goto error;
}
buf += cmd_len;
So putting something like %n%n%n in 'buf' you can trigger the vulnerability.
--
Name: Vashnukad
e-mail: vashnukad@vashnukad.com
Site: http://www.vashnukad.com
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic