[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Full-Disclosure] ez-ipupdate format string bug
- To: full-disclosure@xxxxxxxxxxxxxxxx
- Subject: [Full-Disclosure] ez-ipupdate format string bug
- From: Ulf Härnhammar <Ulf.Harnhammar.9485@xxxxxxxxxxxxx>
- Date: Thu, 11 Nov 2004 14:59:31 +0100
* ez-ipupdate format string bug *
"ez-ipupdate is a quite complete client for the dynamic DNS service offered
by http://www.ez-ip.net/ and many more. Currently supported are: ez-ip
[..] , Penguinpowered [..] , DHS [..] , dynDNS [..] , ODS [..] , TZO [..] ,
EasyDNS [..] , Justlinux [..] , Dyns [..] , HN [..] , ZoneEdit [..] and
Hurricane Electric's IPv6 Tunnel Broker [..]. All services using GNUDip are
also supported."
(from packages.debian.org)
I have found a format string bug in ez-ipupdate. It affects at least the
versions 3.0.11b8, 3.0.11b7, 3.0.11b6, 3.0.11b5 and 3.0.10. It doesn't affect
2.9.6. The vulnerability has the identifier CAN-2004-0980.
The format string bug allows a malicious remote server to execute arbitrary
code on the machine running ez-ipupdate, if and only if daemon mode is on
(very common) and certain service types are used. I have attached a trivial
patch (against 3.0.11b8) that corrects this problem.
It proved to be impossible to contact upstream, as all his e-mail addresses
bounced. The Linux and *BSD vendors that distribute ez-ipupdate have been
contacted, but so far only Mandrakelinux and SUSE Linux have published
patched versions.
// Ulf Harnhammar http://www.advogato.org/person/metaur/
for the
Debian Security Audit Project http://www.debian.org/security/audit/
--- ez-ipupdate.c.old 2002-03-12 00:31:47.000000000 +0100
+++ ez-ipupdate.c 2004-11-10 15:28:23.000000000 +0100
@@ -798,7 +798,7 @@ void show_message(char *fmt, ...)
sprintf(buf, "message incomplete because your OS sucks: %s\n", fmt);
#endif
- syslog(LOG_NOTICE, buf);
+ syslog(LOG_NOTICE, "%s", buf);
}
else
{