5236347 2000-06-28  23:22  /47 rader/ Postmaster
Mottagare: Bugtraq (import) <11483>
Ärende: Re: format bugs, in addition to the wuftpd bug
------------------------------------------------------------
Approved-By: aleph1@SECURITYFOCUS.COM
Delivered-To: bugtraq@lists.securityfocus.com
Delivered-To: bugtraq@securityfocus.com
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Message-ID:  <Pine.LNX.4.21.0006280052490.28532-100000@ferret.lmh.ox.ac.uk>
Date:         Wed, 28 Jun 2000 01:38:03 +0100
Reply-To: Chris Evans <chris@FERRET.LMH.OX.AC.UK>
Sender: Bugtraq List <BUGTRAQ@SECURITYFOCUS.COM>
From: Chris Evans <chris@FERRET.LMH.OX.AC.UK>
X-cc:         security-audit@ferret.lmh.ox.ac.uk, hdm@secureaustin.com
To: BUGTRAQ@SECURITYFOCUS.COM

H D Moore wrote:

> I spent some time last weekend going over a handful of
> daemons/priviledged programs that I suspected had issues with formatting
> characters in user-supplied data. I will not release the names of
> affected programs yet as I am waiting for thier maintainers to get back
> to me, but I would like to cover a seemingly-unknown security issue with
> passing user-defined fields to the syslog function:

Bugtraq is a full disclosure mailing list; why not mention the
daemons.  All your message will achieve is that all the Black Hats
have reached for "grep".

Based on your assertion that such flaws exist, I consider the
following "obvious" to find, so I have no problems with posting it
here

From sources on my RedHat Linux 6.1 machine:

gdm:

daemon/misc.c: lots of "syslog (LOG_ERR, s)"
gui/{gdmchooser,gdmlogin}.c: similar flaws

rpc.statd:

statd/log.c: syslog(level, buffer)


I look forward to your final report - I bet this issue is
widespread. I also bet we're still discovering these flaws in a few
years time, just like we are with buffer overflows now :-(

Cheers
Chris
(5236347) ------------------------------------------(Ombruten)