Opened 3 years ago

Closed 3 years ago

Last modified 3 years ago

#16375 closed bug (fixed)

Format String Bug cause DoS and RCE

Reported by: douro Owned by: mmu_man
Priority: normal Milestone: R1/beta3
Component: Applications/CodyCam Version:
Keywords: Cc:
Blocked By: Blocking:
Platform: All


printf with unspecified format-string cause AAW and in this code, buf is filename in remote server.

If Attacker has the access for ftp-server, with many file named format-string Attacker can bruteforce stack address and libc-address and return-address one time so this bug has availability for evil code.

This is In general talk in system using glibc-printf.

I don't have a web-camera matching this OS so can't reproduce stack trace, but verified printf("aaaaa%1$n%2$n%3$n"); cause crash in All version.

In the end printf("%s", buf); seems to be better code.

Change History (6)

comment:1 by waddlesplash, 3 years ago

Resolution: fixed
Status: newclosed

Fixed in hrev54411, and backported to the beta2 branch. Thanks for reporting!

comment:2 by pulkomandy, 3 years ago

Milestone: UnscheduledR1/beta3

comment:3 by nielx, 3 years ago

Shouldn't this be R1/beta2? It has been backported and will be built and distributed this Sunday.

comment:4 by pulkomandy, 3 years ago

Well, it's not part of the beta2 release, but is an update to it. I'd say the milestones are matched with the releases rather than the maintenance branches?

It could be "beta 2.1" if we planned to do such a thing, but I think we don't.

comment:5 by nielx, 3 years ago

I have no strong feelings either way, I think it sort of comes back to my message on the ML a few weeks back about how we handle these implicit updates/service packs/hotfixes.

We have the wiki:R1/Beta2/ReleaseAddendum page. I am inclined to at least update that to note the existence of these fixes there.

comment:6 by nielx, 3 years ago

A good example is the Windows 10 Health Dashboard.

I will list the updates

Note: See TracTickets for help on using tickets.