#16375 closed bug (fixed)
Format String Bug cause DoS and RCE
| Reported by: | douro | Owned by: | mmu_man |
|---|---|---|---|
| Priority: | normal | Milestone: | R1/beta3 |
| Component: | Applications/CodyCam | Version: | |
| Keywords: | Cc: | ||
| Blocked By: | Blocking: | ||
| Platform: | All |
Description
https://git.haiku-os.org/haiku/tree/src/apps/codycam/FtpClient.cpp#n86
printf with unspecified format-string cause AAW and in this code, buf is filename in remote server.
If Attacker has the access for ftp-server, with many file named format-string Attacker can bruteforce stack address and libc-address and return-address one time so this bug has availability for evil code.
This is In general talk in system using glibc-printf.
I don't have a web-camera matching this OS so can't reproduce stack trace, but verified printf("aaaaa%1$n%2$n%3$n"); cause crash in All version.
In the end printf("%s", buf); seems to be better code.
Change History (6)
comment:1 by , 4 years ago
| Resolution: | → fixed |
|---|---|
| Status: | new → closed |
comment:2 by , 4 years ago
| Milestone: | Unscheduled → R1/beta3 |
|---|
comment:3 by , 4 years ago
Shouldn't this be R1/beta2? It has been backported and will be built and distributed this Sunday.
comment:4 by , 4 years ago
Well, it's not part of the beta2 release, but is an update to it. I'd say the milestones are matched with the releases rather than the maintenance branches?
It could be "beta 2.1" if we planned to do such a thing, but I think we don't.
comment:5 by , 4 years ago
I have no strong feelings either way, I think it sort of comes back to my message on the ML a few weeks back about how we handle these implicit updates/service packs/hotfixes.
We have the wiki:R1/Beta2/ReleaseAddendum page. I am inclined to at least update that to note the existence of these fixes there.
comment:6 by , 4 years ago
A good example is the Windows 10 Health Dashboard.
I will list the updates
Fixed in hrev54411, and backported to the beta2 branch. Thanks for reporting!