Re: [VulnWatch] Bypassing libsafe format string protection
From: Steve Beattie (steve@wirex.net)Date: 03/20/02
- Previous message: advisory@prophecy.net.nz: "Default SNMP configuration issue with Foundry Networks EdgeIron 4802F"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 20 Mar 2002 10:24:18 -0800 From: Steve Beattie <steve@wirex.net> To: bugtraq@securityfocus.com, vulnwatch@vulnwatch.org
On Wed, Mar 20, 2002 at 11:35:04AM +0100, Wojciech Purczynski wrote:
> 1.
>
> Libsafe protection against format string exploits may be easily bypassed
> using flag characters that are implemented in glibc but are not
> implemented in libsafe.
>
> 2.
>
> Libsafe *printf function wrappers incorrectly parse argument indexing in
> format strings. They always assume that the n-th conversion specification
> uses n-th argument and does not properly count real number of arguments
> used. Thus, arguments, whose index numbers are above the total number of
> conversion specifications, are not verified at all.
I'd like to point out that the Immunix FormatGuard tool (which provides
a similar protection against format string attacks as libsafe) is not
vulnerable to these kinds of attacks because it explicitly uses glibc's
parse_printf_format() to determine the number of arguments required for
a given format string -- parse_printf_format() is the same function that
glibc's *printf() functions use internally to parse arguments.
-- Steve Beattie Don't trust programmers? <steve@wirex.net> Complete StackGuard distro at http://NxNW.org/~steve/ immunix.org http://www.personaltelco.net -- overthrowing QWest, one block at a time.
- application/pgp-signature attachment: stored
- Previous message: advisory@prophecy.net.nz: "Default SNMP configuration issue with Foundry Networks EdgeIron 4802F"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
