Faulty,
Just because there's a *printf function called from the code
doesn't mean it's vuln. They'd have to overwrite data somewhere by possible
mis-use of the function(s). I do not know which flavor of Unix this is
from, so I'm unabel to look over the source code at those lines specified.
Perhaps you need to look at them and see if they don't use any
format strings and instead just pass variables -- that's always a tell-tale
sign :)
Brandon E. Erhart
At 02:19 AM 1/26/2003, Faulty@xxxxxxx www.b0f.net wrote:
Hello while doing a scan for format strings vulns on util-linux package
it came back with the following results.
./login.c:398 FUNC fprintf
./login.c:425 FUNC fprintf
./login.c:597 FUNC fprintf
./login.c:614 FUNC fprintf
./login.c:775 FUNC printf
./login.c:796 FUNC fprintf
./login.c:800 FUNC fprintf
./login.c:1109 FUNC syslog
./login.c:1119 FUNC printf
./login.c:1127 FUNC fprintf
./login.c:1183 FUNC fprintf
./login.c:1190 FUNC fprintf
./login.c:1201 FUNC fprintf
./passwd.c:161 FUNC printf
./passwd.c:174 FUNC printf
./passwd.c:175 FUNC printf
./passwd.c:176 FUNC printf
./passwd.c:181 FUNC printf
./passwd.c:186 FUNC printf
./passwd.c:197 FUNC printf
./passwd.c:204 FUNC printf
./passwd.c:222 FUNC printf
./passwd.c:223 FUNC printf
./passwd.c:277 FUNC fprintf
./passwd.c:316 FUNC printf
./passwd.c:323 FUNC printf
./passwd.c:331 FUNC printf
./passwd.c:401 FUNC syslog
./passwd.c:410 FUNC printf
./passwd.c:414 FUNC printf
./passwd.c:420 FUNC printf
There is also a few other on other programs but i thought these 2 would
be most important since passwd is suid and login could be exploited
remotly. I am not very experianced in format strings any help/commets
would be great. Would these be able to get exploited?
Regards
Faulty@xxxxxxx
www.b0f.net
