[VIM] Re: Iron Bars SHell format string - two, not one

Steven M. Christey coley at linus.mitre.org
Wed May 25 12:07:11 EDT 2005


On Wed, 25 May 2005, security curmudgeon wrote:

> : While there is a fix in log_attempt() in misc.c that's relevant to
> : format strings and syslog, there's only one usage of log_attempt, with a
> : username that's obtained from the password file, so there's no real
> : vulnerable code path.
>
> So two format string issues. One is not used anywhere? The other is used
> in a single place but offers no way for a user to inject their own
> content, as it comes from the password file?

The log_attempt format string has no way for a user to inject content.

The logPrintBadfile format string does appear to do so, however.

The shell implements a "jail" and part of the functionality involves
cleaning up symlinks that attempt to reference files outside of the jail.

from delbadfiles.c:

void DelBadFiles (const char *basedir)
{
 ...
 ...
    } else if ( S_ISLNK(attr.st_mode) ) { /* in the case of a symlink */
      if ( symlinkGoesOuttaJail(list->d_name) ) {
#ifdef DEBUG
        printf("symlinkoutofjail: %s\n", list->d_name);
#endif
        if (unlink(list->d_name) == 0) {
          bzero (tmp, sizeof(tmp));
          snprintf (tmp, sizeof(tmp)-1, "Illegal symbolic link %s was
erased. Contact the sysadmin for policy.\n", list->d_name);
          logPrintBadfile (tmp);
        }

So, based on source code inspection, it looks like the attacker could
create a symlink that points out of the jail and contains format strings,
which would then be processed by logPrintBadfile when the symlink is
deleted.

> If so, those are programming bugs but not vulnerabilities it sounds like..

There's the code path above, and a couple others it appears.

- Steve


More information about the VIM mailing list