HylaFAX vulnerability

From: Marcin Dawcewicz (miv@IIDEA.PL)
Date: Thu Apr 12 2001 - 03:22:20 CEST

Next message: Progeny Security Team: "PROGENY-SA-2001-02A: [UPDATE] ntpd remote buffer overflow"

Previous message: Wichert Akkerman: "[SECURITY] [DSA-048-1] remote cfingerd exploit"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi,

I've found classical format bug while I was playing with HylaFAX
server (v4.1 beta2):

$ [ -u /usr/sbin/hfaxd ] && /usr/sbin/hfaxd -q '%n%n' # SUID uucp
Segmentation fault

It crashes while calling syslog() with user supplied fmt. Looks nasty.

Sorry, I have no working exploit, I won't have one and I have no idea if
there are other similar bugs in HylaFAX. I just taught it will be nice to
bring this case to your attention, guys. Maybe someone, who has more time
than I have can do a little more research.

-- greets,

-= Marcin Dawcewicz =- mailto: miv@gnu.org.pl "When freedom is outlawed, only outlaws will be free"

Next message: Progeny Security Team: "PROGENY-SA-2001-02A: [UPDATE] ntpd remote buffer overflow"
Previous message: Wichert Akkerman: "[SECURITY] [DSA-048-1] remote cfingerd exploit"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu Apr 26 2001 - 21:51:56 CEST