tech-security: Re: Fwd: CERT Advisory CA-2002-12 Format String Vulnerability in ISC DHCPD

Subject: Re: Fwd: CERT Advisory CA-2002-12 Format String Vulnerability in ISC DHCPD
To: Jeremy C. Reed <reed@reedmedia.net>
From: Steven M. Bellovin <smb@research.att.com>
List: tech-security
Date: 05/09/2002 07:40:52

In message <Pine.LNX.4.43.0205082132230.702-100000@pilchuck.reedmedia.net>, "Je
remy C. Reed" writes:
>
>
>It probably was not "suspicious". And anyways I don't know if the
>patches were sent to ISC.
>

It was suspicious -- it was a classic case of a format string vulnerability.  
Someone dropped the ball, though I don't know if it was a NetBSD 
developer or an ISC developer.

Very briefly, if you have

	printf(str);

instead of

	printf("%s", str);

and str is supplied by the enemy, you are in danger.  (For the gory 
details, see http://online.securityfocus.com/archive/1/81565)

From the CERT advisory, this was an indirect call, but the problem is 
the same.

		--Steve Bellovin, http://www.research.att.com/~smb
		Full text of "Firewalls" book now at http://www.wilyhacker.com