SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Generic)  >   less Vendors:   GNU [multiple authors]
GNU less Format String Flaw May Let Users Execute Arbitrary Code
SecurityTracker Alert ID:  1010988
SecurityTracker URL:  http://securitytracker.com/id/1010988
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Aug 19 2004
Impact:   Execution of arbitrary code via local system, Execution of arbitrary code via network, User access via network

Version(s): 358, 381, 382
Description:   A format string vulnerability was reported in GNU less. A remote user may be able to cause a target user to execute arbitrary code.

Serkan Akpolat reported that there is a format string error in 'filename.c'. A remote or local user may be able to create a specially crafted file name that, when processed by a target user with less, will trigger the format string flaw and execute arbitrary code. The code will run with the privileges of the target user.

[Editor's note: Arbitrary code execution was not confirmed in the report.]

Impact:   A remote or local user may be able to cause a target user to execute arbitrary code [however, code execution was not confirmed in the report].
Solution:   No solution was available at the time of this entry.
Vendor URL:  www.gnu.org/software/less/less.html (Links to External Site)
Cause:   Input validation error, State error
Underlying OS:  Linux (Any), UNIX (Any)

Message History:   None.


 Source Message Contents

Subject:  [Full-Disclosure] gnu-less Format String Vulnerability



+-----[ Software ]-----+

Less is a program similar to more, but which allows backward movement in
the file as well as forward movement. Also, less does not have to read
the entire input file before starting, so with large input files it 
starts up faster than text editors like vi.
Less uses termcap (or terminfo on some systems), so it can run on a 
variety of terminals. There is even limited support for hardcopy terminals.

+-----[ Tested Versions ]-----+

less-382
less-381
less-358

+-----[ Description ]-----+

Format string vulnerability.


+-----[ Vulnerable Code ]-----+
 From less-382:

[filename.c] : 787

     public char *
open_altfile(filename, pf, pfd)
     char *filename;
     int *pf;
     void **pfd;
{
     ...................
     if ((lessopen = lgetenv("LESSOPEN")) == NULL
     ...................
     sprintf(cmd, lessopen, filename); <-- Format String Problem Here
     ...................

}

+-----[ Greets  ]-------+

Virulent , gorny and all other netricians

+-----------------------+

+-----[ Contact ]-----+

http://deicide.siyahsapka.org

        deicide@siyahsapka.org

+----------------------+

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2020, SecurityGlobal.net LLC