[UNIX] Format String Vulnerability In GNATS

• Previous message: SecuriTeam: "[NT] Bypassing ZoneAlarm Pro 'Mobile Code'"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: list@securiteam.com
Date: 28 Jun 2004 16:10:15 +0200

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -

  Format String Vulnerability In GNATS
------------------------------------------------------------------------

SUMMARY

 <http://www.gnu.org/software/gnats/> GNU GNATS is a set of tools for
tracking bugs reported by users to a central site. It allows problem
report management and communication with users via various means. GNATS
stores all the information about problem reports in its databases and
provides tools for querying, editing, and maintenance of the databases. A
format string bug has been discovered in the Gnats package that could
possibly be exploited to execute arbitrary commands.

DETAILS

Vulnerable Systems:
 * GNATS Version 4.0 (Prior versions might be also affected)

Vulnerable Code:
From gnats-4.0\gnats\misc.c line 94 and on:

#ifdef HAVE_SYSLOG_H
case SYSLOG:
syslog (severity, buf);
break;
#endif

In order to be able to exploit this vulnerability, GNATS should direct
it's logging to syslog (the default behavior of GNATS if not being called
from command line and no log file was specified.

Workaround:
Replace the call to syslog to something similar to:
syslog (severity, "%s", buf);

Vendor Status:
The Gnats team has been notified of the findings. No patch is available at
this time.

ADDITIONAL INFORMATION

The information has been provided by <mailto:shirani@zone-h.org> Khan
Shirani.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

• Previous message: SecuriTeam: "[NT] Bypassing ZoneAlarm Pro 'Mobile Code'"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]