[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Full-Disclosure] gnu-less Format String Vulnerability
- To: Serkan Akpolat <sakpolat@xxxxxxx>
- Subject: Re: [Full-Disclosure] gnu-less Format String Vulnerability
- From: Tim <tim-security@xxxxxxxxxxxxxxxxxxx>
- Date: Wed, 18 Aug 2004 10:47:13 -0400
> +-----[ Description ]-----+
>
> Format string vulnerability.
>
>
> +-----[ Vulnerable Code ]-----+
> From less-382:
>
> [filename.c] : 787
>
> public char *
> open_altfile(filename, pf, pfd)
> char *filename;
> int *pf;
> void **pfd;
> {
> ...................
> if ((lessopen = lgetenv("LESSOPEN")) == NULL
> ...................
> sprintf(cmd, lessopen, filename); <-- Format String Problem Here
> ...................
>
> }
I am sorry, I fail to see how this is a vulnerability.
If you have control of LESSOPEN, you already have shell, since, from the
man page:
"An input preprocessor is simply an executable program (or shell
script), which writes the contents of the file to a different file,
called the replacement file.
...
To set up an input preprocessor, set the LESSOPEN environment
variable to a command line which will invoke your input preprocessor."
Perhaps it would be better written if the LESSOPEN parser only allowed
%s to work, as advertized, and not the other sprintf codes, but it
really isn't a security issue (unless I am totally missing something).
If you are really worried about it, add the -L option when running less,
and it will ignore LESSOPEN.
cheers,
tim
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html