TUCoPS :: Unix :: General :: bt565.txt

zkfingerd-2.0.2(the last version)Format String Vulnerabilities 




                                ========================================

	                        Ph4nt0m Security Advisory 2#2003--7-7

	                        ========================================

 Title: zkfingerd-2.0.2(the last version)Format String Vulnerabilities  



 Advisory Number         : SRT2003-7-7-002

 Product                 : zkfingerd

 Version                 : 2.0.2 (possibility All versions )

 Vendor                  : http://sourceforge.net/projects/zkfingerd

 Class                   : Local&remote

 Criticality             : high

 Operating System(s)     : *nix





 

***************************************************************************

**

 high Level Description  : Format String Vulnerabilities in syslog() 

fprintf()



 

***************************************************************************

**



 Technical Details

 ************************************************************************

 zkfingerd-r3-0.9 could be remote exploitable,the last versions 2.0.2 also 

has a bug for Format    String Vulnerabilities 

 code find in src/die.c(_finger_error):107

 .........................................

_finger_error(int options, char *function, char *file,

	int line, char *msg, ...)

{

	va_list	ap;



	va_start(ap, msg);



	chomp(msg);



#ifdef	DEBUG

	if(options & DEBUG_ERROR)

		fprintf(stdout, "DBG %s:%s:%d: ", function, file, line);

	else

#endif

	if(!(options & QUIET_ERROR))

		fprintf(stdout, "< ");



	if(strchr(msg, '%') != NULL && !ap)

	{

		if(!(options & QUIET_ERROR))

			fprintf(stdout, msg);  .....................point

(msg could be provided by us)

#ifndef	NO_SYSLOG

		syslog(LOG_CRIT, 

msg); .............................possibile

#endif

	}

	else

	{

		if(!(options & QUIET_ERROR))

			vfprintf(stdout, msg, ap);



#ifndef	NO_SYSLOG

		vsyslog(LOG_CRIT, msg, ap);

#endif

	}



	if(!(options & QUIET_ERROR))

	{

#ifdef	DEBUG

		fprintf(stdout, "%s\r\n",

			(!(options & DEBUG_ERROR)) ? " >" : "");

#else

		fprintf(stdout, " >\r\n");

#endif

	}



	va_end(ap);



	fflush(stdout);



	if(options & FATAL_ERROR)

		exit(1);



	return;

}



 

so  It is possible to corrupt memory by passing format strings through the 

vulnerable function. This may potentially be exploited to overwrite 

arbitrary locations in memory with attacker-specified values. 





I am studying codes ,i will prodive how to attack &exploit......







...........................................................................

......................



***************************************************************************

**********************

By "jsk" (akun), in ph4nt0m.net(c) Security.



E-mail:jsk@ph4nt0m.net 



ph4nt0m Security Home: http://www.ph4nt0m.net 

My World: http://jsk.njsafe.com

My GnuPG Public Key:http://202.119.104.82/webeq/app/jsk/jsk.asc

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH