Opened 15 months ago

Closed 15 months ago

Last modified 15 months ago

#16375 closed bug (fixed)

Format String Bug cause DoS and RCE

Reported by: douro Owned by: mmu_man
Priority: normal Milestone: R1/beta3
Component: Applications/CodyCam Version:
Keywords: Cc:
Blocked By: Blocking:
Platform: All


printf with unspecified format-string cause AAW and in this code, buf is filename in remote server.

If Attacker has the access for ftp-server, with many file named format-string Attacker can bruteforce stack address and libc-address and return-address one time so this bug has availability for evil code.

This is In general talk in system using glibc-printf.

I don't have a web-camera matching this OS so can't reproduce stack trace, but verified printf("aaaaa%1$n%2$n%3$n"); cause crash in All version.

In the end printf("%s", buf); seems to be better code.

Change History (6)

comment:1 by waddlesplash, 15 months ago

Resolution: fixed
Status: newclosed

Fixed in hrev54411, and backported to the beta2 branch. Thanks for reporting!

comment:2 by pulkomandy, 15 months ago

Milestone: UnscheduledR1/beta3

comment:3 by nielx, 15 months ago

Shouldn't this be R1/beta2? It has been backported and will be built and distributed this Sunday.

comment:4 by pulkomandy, 15 months ago

Well, it's not part of the beta2 release, but is an update to it. I'd say the milestones are matched with the releases rather than the maintenance branches?

It could be "beta 2.1" if we planned to do such a thing, but I think we don't.

comment:5 by nielx, 15 months ago

I have no strong feelings either way, I think it sort of comes back to my message on the ML a few weeks back about how we handle these implicit updates/service packs/hotfixes.

We have the wiki:R1/Beta2/ReleaseAddendum page. I am inclined to at least update that to note the existence of these fixes there.

comment:6 by nielx, 15 months ago

A good example is the Windows 10 Health Dashboard.

I will list the updates

Note: See TracTickets for help on using tickets.