Subject: Re: proposal: disable *printf %n specifier in libc in NetBSD 1.5
To: Chris G. Demetriou <cgd@sibyte.com>
From: Bill Sommerfeld <sommerfeld@orchard.arlington.ma.us>
List: tech-userlevel
Date: 09/11/2000 15:16:02
> It is fundamentally unsafe to pass user data as the format string to
> printf. %n may make this exploitable in a way that can set a value in
> the program, but the fundamental issue is still there and should be
> addressed by fixing the issue, not by band-aiding printf() et al. in a
> non-standard way.
%n allows a error which would otherwise allow for a *read* of an
arbitrary address (and likely program-terminating core dump) into one
which allows arbitrary writes into arbitrary locations, allowing
complete subversion of program behavior.
program-crashing denials of service are significantly less severe than
holes which allow an attacker to patch an arbitrary location to an
arbitrary value and/or execute arbitrary code.
I have no objection to continuing to support %n in
compile-time-constant format strings, as long as we're protected from
%n exploits in run-time variable format strings.
- Bill