On Wed, Mar 20, 2002 at 11:35:04AM +0100, Wojciech Purczynski wrote: > 1. > > Libsafe protection against format string exploits may be easily bypassed > using flag characters that are implemented in glibc but are not > implemented in libsafe. > > 2. > > Libsafe *printf function wrappers incorrectly parse argument indexing in > format strings. They always assume that the n-th conversion specification > uses n-th argument and does not properly count real number of arguments > used. Thus, arguments, whose index numbers are above the total number of > conversion specifications, are not verified at all. I'd like to point out that the Immunix FormatGuard tool (which provides a similar protection against format string attacks as libsafe) is not vulnerable to these kinds of attacks because it explicitly uses glibc's parse_printf_format() to determine the number of arguments required for a given format string -- parse_printf_format() is the same function that glibc's *printf() functions use internally to parse arguments. -- Steve Beattie Don't trust programmers? <steve@wirex.net> Complete StackGuard distro at http://NxNW.org/~steve/ immunix.org http://www.personaltelco.net -- overthrowing QWest, one block at a time.
Attachment:
pgp00100.pgp
Description: PGP signature
