Format String Bug cause DoS and RCE
|Reported by:||douro||Owned by:||mmu_man|
printf with unspecified format-string cause AAW and in this code,
buf is filename in remote server.
If Attacker has the access for ftp-server, with many file named format-string Attacker can bruteforce stack address and libc-address and return-address one time so this bug has availability for evil code.
This is In general talk in system using glibc-printf.
I don't have a web-camera matching this OS so can't reproduce stack trace, but verified
printf("aaaaa%1$n%2$n%3$n"); cause crash in All version.
In the end
printf("%s", buf); seems to be better code.