Why isn't there a patch?
<div><br class="webkit-block-placeholder"></div><div><blockquote class="gmail_quote" style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0.8ex; border-left-width: 1px; border-left-color: rgb(204, 204, 204); border-left-style: solid; padding-left: 1ex; ">
From: <a href="mailto:vashnukad@vashnukad.com" target="_blank" style=""><span class="Apple-style-span" style="color: rgb(0, 0, 0); text-decoration: none;">vashnukad@vashnukad.com</span></a><br></blockquote><span class="Apple-style-span" style="border-collapse: collapse; "><div class="gmail_quote">
<blockquote>Site: <a href="http://www.vashnukad.com" target="_blank" style=""><span class="Apple-style-span" style="color: rgb(0, 0, 0); text-decoration: none;">http://www.vashnukad.com</span></a><br></blockquote><blockquote>
Application: Linux Kiss Server v1.2<br></blockquote><blockquote>Type: Format strings<br></blockquote><blockquote>Priority: Medium<br></blockquote><blockquote>Patch available: No<br></blockquote><blockquote><br></blockquote>
<blockquote>The Linux Kiss Server contains a format strings vulnerability that, if run in foreground mode, can be leveraged for access. The vulnerability is demonstrated in the code below:<br></blockquote><blockquote> Function log_message():<br>
</blockquote><blockquote> if(background_mode == 0)<br></blockquote><blockquote> {<br></blockquote><blockquote> if(type == 'l')<br></blockquote><blockquote> fprintf(stdout,log_msg);<br>
</blockquote><blockquote><br></blockquote><blockquote> if(type == 'e')<br></blockquote><blockquote> fprintf(stderr,log_msg);<br></blockquote><blockquote> free(log_msg);<br>
</blockquote><blockquote> }<br></blockquote><blockquote> <br></blockquote><blockquote><br></blockquote><blockquote> Function kiss_parse_cmd():<br></blockquote><blockquote><br></blockquote>
<blockquote><br></blockquote><blockquote> /* check full command name */<br></blockquote><blockquote> if (strncmp(cmd, buf, cmd_len))<br></blockquote><blockquote> {<br>
</blockquote><blockquote> asprintf(&log_msg,"unknow command: `%s'", buf);<br></blockquote><blockquote> log_message(log_msg,'e');<br></blockquote><blockquote>
goto error;<br></blockquote><blockquote> }<br></blockquote><blockquote> buf += cmd_len;<br></blockquote><blockquote> <br></blockquote><blockquote>
So putting something like %n%n%n in 'buf' you can trigger the vulnerability.<br></blockquote><font color="#888888"><blockquote><br></blockquote><blockquote>-- <br></blockquote><blockquote>Name: Vashnukad<br></blockquote>
<blockquote>E-mail: <a href="mailto:vashnukad@vashnukad.com" target="_blank" style=""><span class="Apple-style-span" style="color: rgb(136, 136, 136); text-decoration: none;">vashnukad@vashnukad.com</span></a><br></blockquote>
<blockquote>Site: <a href="http://www.vashnukad.com" target="_blank" style=""><span class="Apple-style-span" style="color: rgb(136, 136, 136); text-decoration: none;">http://www.vashnukad.com</span></a><br></blockquote></font></div>
<blockquote><br></blockquote><font color="#888888"><blockquote><br></blockquote><blockquote><br></blockquote><blockquote>-- <br></blockquote><blockquote>Name: Vashnukad<br></blockquote><blockquote>e-mail: <a href="mailto:vashnukad@vashnukad.com" target="_blank" style=""><span class="Apple-style-span" style="color: rgb(136, 136, 136); text-decoration: none;">vashnukad@vashnukad.com</span></a><br>
</blockquote><blockquote>Site: <a href="http://www.vashnukad.com" target="_blank" style=""><span class="Apple-style-span" style="color: rgb(136, 136, 136); text-decoration: none;">http://www.vashnukad.com</span></a><br></blockquote>
</font></span></div>