[prev in list] [next in list] [prev in thread] [next in thread]
List: full-disclosure
Subject: [Full-disclosure] Vulnerability in Linux Kiss Server v1.2
From: vashnukad <vashnukad () vashnukad ! com>
Date: 2008-03-05 3:43:25
Message-ID: c461be1b0803041943j7fbcff06yc2d99b767210c44e () mail ! gmail ! com
[Download RAW message or body]
[Attachment #2 (multipart/alternative)]
From: vashnukad@vashnukad.com
Site: http://www.vashnukad.com
Application: Linux Kiss Server v1.2
Type: Format strings
Priority: Medium
Patch available: No
The Linux Kiss Server contains a format strings vulnerability that, if run
in foreground mode, can be leveraged for access. The vulnerability is
demonstrated in the code below:
Function log_message():
if(background_mode == 0)
{
if(type == 'l')
fprintf(stdout,log_msg);
if(type == 'e')
fprintf(stderr,log_msg);
free(log_msg);
}
Function kiss_parse_cmd():
/* check full command name */
if (strncmp(cmd, buf, cmd_len))
{
asprintf(&log_msg,"unknow command: `%s'", buf);
log_message(log_msg,'e');
goto error;
}
buf += cmd_len;
So putting something like %n%n%n in 'buf' you can trigger the vulnerability.
--
Name: Vashnukad
E-mail: vashnukad@vashnukad.com
Site: http://www.vashnukad.com
[Attachment #5 (text/html)]
From: <a href="mailto:vashnukad@vashnukad.com">vashnukad@vashnukad.com</a><br>Site: \
<a href="http://www.vashnukad.com">http://www.vashnukad.com</a><br>Application: Linux \
Kiss Server v1.2<br>Type: Format strings<br>Priority: Medium<br> Patch available: \
No<br><br>The Linux Kiss Server contains a format strings vulnerability that, if run \
in foreground mode, can be leveraged for access. The vulnerability is demonstrated in \
the code below:<br> \
Function log_message():<br> \
\
if(background_mode == \
0)<br> \
{<br> \
if(type == 'l')<br> \
fprintf(stdout,log_msg);<br><br> \
if(type == 'e')<br> \
fprintf(stderr,log_msg);<br> \
\
free(log_msg);<br> \
}<br> \
<br><br> Function \
kiss_parse_cmd():<br><br><br> \
/* check full command name \
*/<br> \
if (strncmp(cmd, buf, cmd_len))<br> \
\
{<br> \
asprintf(&log_msg,"unknow command: `%s'", \
buf);<br> \
log_message(log_msg,'e');<br> & \
nbsp; \
goto error;<br> \
}<br> \
buf += cmd_len;<br> \
<br>So putting something like %n%n%n in 'buf' you can trigger the \
vulnerability.<br clear="all"><br>-- <br>Name: Vashnukad<br>E-mail: <a \
href="mailto:vashnukad@vashnukad.com">vashnukad@vashnukad.com</a><br>
Site: <a href="http://www.vashnukad.com">http://www.vashnukad.com</a>
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic