Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Web :: Apps :: pwc.htm

Pwc exploitable buffer overrun



Vulnerability

    pwc

Affected

    pwc

Description

    Wojtek Pawlikowski found following.  There is a format string  bug
    in 'pwc' (ftp://ftp.media-com.com.pl/pub/other/pwc.tar.gz).   This
    CGI  script  is  used  to  change  users password via www (blah!).
    writelog() call syslog() function, which 'eats' characters and log
    it to system logs.  But you can paste shellcode into  buffers[512]
    and syslog() will run it without any problems.

        void writelog(const char *fmt, ...)
        {
	        va_list args;
	        char buffers[512];
        
	        va_start(args, fmt);
        
	        openlog(SERVICENAME, LOG_PID | LOG_CONS | LOG_NOWAIT | LOG_AUTH);
	        vsnprintf(buffer, 512, fmt, args);
	        syslog(LOG_ERR, buffer);
	        closelog();
	        return;
	        va_end(args);
        }

    As you can see this is potential security bug.

Solution

    Change

        syslog(LOG_ERR, buffer);

    to

        syslog(LOG_ERR, "%s", buffer);


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH