Sorry, my response became detached from the original thread somehow.<br><br><div class="gmail_quote">On Wed, Mar 5, 2008 at 4:29 PM, David Judais <<a href="mailto:david.judais@googlemail.com">david.judais@googlemail.com</a>> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">Why isn't there a patch?
<div><br></div><div><blockquote class="gmail_quote" style="margin-top:0px;margin-right:0px;margin-bottom:0px;margin-left:0.8ex;border-left-width:1px;border-left-color:rgb(204, 204, 204);border-left-style:solid;padding-left:1ex">
From: <a href="mailto:vashnukad@vashnukad.com" target="_blank"><span style="color:rgb(0, 0, 0);text-decoration:none">vashnukad@vashnukad.com</span></a><br></blockquote><span style="border-collapse:collapse"><div class="gmail_quote">
<blockquote>Site: <a href="http://www.vashnukad.com" target="_blank"><span style="color:rgb(0, 0, 0);text-decoration:none">http://www.vashnukad.com</span></a><br></blockquote><blockquote>
Application: Linux Kiss Server v1.2<br></blockquote><blockquote>Type: Format strings<br></blockquote><blockquote>Priority: Medium<br></blockquote><blockquote>Patch available: No<br></blockquote><blockquote><br></blockquote>
<blockquote>The Linux Kiss Server contains a format strings vulnerability that, if run in foreground mode, can be leveraged for access. The vulnerability is demonstrated in the code below:<br></blockquote><blockquote> Function log_message():<br>
</blockquote><blockquote> if(background_mode == 0)<br></blockquote><blockquote> {<br></blockquote><blockquote> if(type == 'l')<br></blockquote><blockquote> fprintf(stdout,log_msg);<br>
</blockquote><blockquote><br></blockquote><blockquote> if(type == 'e')<br></blockquote><blockquote> fprintf(stderr,log_msg);<br></blockquote><blockquote> free(log_msg);<br>
</blockquote><blockquote> }<br></blockquote><blockquote> <br></blockquote><blockquote><br></blockquote><blockquote> Function kiss_parse_cmd():<br></blockquote><blockquote><br></blockquote>
<blockquote><br></blockquote><blockquote> /* check full command name */<br></blockquote><blockquote> if (strncmp(cmd, buf, cmd_len))<br></blockquote><blockquote> {<br>
</blockquote><blockquote> asprintf(&log_msg,"unknow command: `%s'", buf);<br></blockquote><blockquote> log_message(log_msg,'e');<br></blockquote><blockquote>
goto error;<br></blockquote><blockquote> }<br></blockquote><blockquote> buf += cmd_len;<br></blockquote><blockquote> <br></blockquote><blockquote>
So putting something like %n%n%n in 'buf' you can trigger the vulnerability.<br></blockquote><font color="#888888"><blockquote><br></blockquote><blockquote>-- <br></blockquote><blockquote>Name: Vashnukad<br></blockquote>
<blockquote>E-mail: <a href="mailto:vashnukad@vashnukad.com" target="_blank"><span style="color:rgb(136, 136, 136);text-decoration:none">vashnukad@vashnukad.com</span></a><br></blockquote>
<blockquote>Site: <a href="http://www.vashnukad.com" target="_blank"><span style="color:rgb(136, 136, 136);text-decoration:none">http://www.vashnukad.com</span></a><br></blockquote></font></div>
<blockquote><br></blockquote><font color="#888888"><blockquote><br></blockquote><blockquote><br></blockquote><blockquote>-- <br></blockquote><blockquote>Name: Vashnukad<br></blockquote><blockquote>e-mail: <a href="mailto:vashnukad@vashnukad.com" target="_blank"><span style="color:rgb(136, 136, 136);text-decoration:none">vashnukad@vashnukad.com</span></a><br>
</blockquote><blockquote>Site: <a href="http://www.vashnukad.com" target="_blank"><span style="color:rgb(136, 136, 136);text-decoration:none">http://www.vashnukad.com</span></a><br></blockquote>
</font></span></div>
</blockquote></div><br>