On 10/31/07, glopeda. com <glopeda@glopeda.com> wrote:
From: glopeda@glopeda.com
Application: less 394 and prior
Type: Format strings vulnerability
Priority: Low
Meager demonstration:
$ export LESSOPEN=%s%n
$ less somefile
Segmentation fault
$
Interesting...
$ echo $LESSOPEN
|lesspipe.sh %s
$ export LESSOPEN=%s%n
$ less iptraf.txt
/bin/bash: ./iptraf.txt: Permission denied
: No such file or directory
$ less --version
less 394
Copyright (C) 1984-2005 Mark Nudelman
less comes with NO WARRANTY, to the extent permitted by law.
For information about the terms of redistribution,
see the file named README in the less distribution.
Homepage: http://www.greenwoodsoftware.com/less
$ id
uid=1000(dentonj) gid=100(users)
groups=11(floppy),17(audio),18(video),19(cdrom),83(plugdev),100(users)
$ ls -l iptraf.txt
-rw-r--r-- 1 dentonj users 300 2007-10-25 08:04 iptraf.txt
$ echo $LESSOPEN
%s%n
$ cat /etc/slackware-version
Slackware 12.0.0
$ strace /usr/bin/less iptraf.txt
execve("/usr/bin/less", ["/usr/bin/less", "iptraf.txt"], [/* 47 vars */]) = 0
brk(0) = 0x8065000
mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1,
0) = 0xb7efb000
access("/etc/ld.so.preload", R_OK) = -1 ENOENT (No such file or directory)
open("/etc/ld.so.cache", O_RDONLY) = 3
fstat64(3, {st_mode=S_IFREG|0644, st_size=111039, ...}) = 0
mmap2(NULL, 111039, PROT_READ, MAP_PRIVATE, 3, 0) = 0xb7edf000
close(3) = 0
open("/lib/libncursesw.so.5", O_RDONLY) = 3
read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\20\352"..., 512) = 512
fstat64(3, {st_mode=S_IFREG|0755, st_size=309276, ...}) = 0
mmap2(NULL, 311172, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3,
0) = 0xb7e93000
mmap2(0xb7ed7000, 32768, PROT_READ|PROT_WRITE,
MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x43) = 0xb7ed7000
close(3) = 0
open("/lib/libc.so.6", O_RDONLY) = 3
read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0@_\1\000"..., 512) = 512
fstat64(3, {st_mode=S_IFREG|0755, st_size=1528742, ...}) = 0
mmap2(NULL, 1316260, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE,
3, 0) = 0xb7d51000
mmap2(0xb7e8d000, 12288, PROT_READ|PROT_WRITE,
MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x13c) = 0xb7e8d000
mmap2(0xb7e90000, 9636, PROT_READ|PROT_WRITE,
MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0xb7e90000
close(3) = 0
open("/lib/libdl.so.2", O_RDONLY) = 3
read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0P\n\0\000"...,
512) = 512
fstat64(3, {st_mode=S_IFREG|0755, st_size=13506, ...}) = 0
mmap2(NULL, 12412, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3,
0) = 0xb7d4d000
mmap2(0xb7d4f000, 8192, PROT_READ|PROT_WRITE,
MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x1) = 0xb7d4f000
close(3) = 0
mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1,
0) = 0xb7d4c000
set_thread_area({entry_number:-1 -> 6, base_addr:0xb7d4c8d0,
limit:1048575, seg_32bit:1, contents:0, read_exec_only:0,
limit_in_pages:1, seg_not_present:0, useable:1}) = 0
mprotect(0xb7e8d000, 4096, PROT_READ) = 0
munmap(0xb7edf000, 111039) = 0
ioctl(1, SNDCTL_TMR_TIMEBASE or TCGETS, {B38400 opost isig icanon echo ...}) = 0
ioctl(1, SNDCTL_TMR_TIMEBASE or TCGETS, {B38400 opost isig icanon echo ...}) = 0
brk(0) = 0x8065000
brk(0x8086000) = 0x8086000
stat64("/home/dentonj/.terminfo", 0xbfc67624) = -1 ENOENT (No such
file or directory)
stat64("/usr/share/terminfo", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0
access("/usr/share/terminfo/x/xterm", R_OK) = 0
open("/usr/share/terminfo/x/xterm", O_RDONLY|O_LARGEFILE) = 3
read(3, "\32\0010\0&\0\17\0\235\1F\5xterm|xterm terminal"..., 4097) = 2522
close(3) = 0
ioctl(1, SNDCTL_TMR_TIMEBASE or TCGETS, {B38400 opost isig icanon echo ...}) = 0
ioctl(1, SNDCTL_TMR_TIMEBASE or TCGETS, {B38400 opost isig icanon echo ...}) = 0
ioctl(1, SNDCTL_TMR_TIMEBASE or TCGETS, {B38400 opost isig icanon echo ...}) = 0
ioctl(1, TIOCGWINSZ, {ws_row=25, ws_col=80, ws_xpixel=0, ws_ypixel=0}) = 0
ioctl(2, TIOCGWINSZ, {ws_row=25, ws_col=80, ws_xpixel=0, ws_ypixel=0}) = 0
open("/usr/bin/.sysless", O_RDONLY|O_LARGEFILE) = -1 ENOENT (No such
file or directory)
open("/etc/sysless", O_RDONLY|O_LARGEFILE) = -1 ENOENT (No such file
or directory)
open("/home/dentonj/.less", O_RDONLY|O_LARGEFILE) = -1 ENOENT (No such
file or directory)
open("/usr/lib/locale/locale-archive", O_RDONLY|O_LARGEFILE) = -1
ENOENT (No such file or directory)
open("/usr/share/locale/locale.alias", O_RDONLY) = 3
fstat64(3, {st_mode=S_IFREG|0644, st_size=2586, ...}) = 0
mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1,
0) = 0xb7efa000
read(3, "# Locale name alias data base.\n#"..., 4096) = 2586
read(3, "", 4096) = 0
close(3) = 0
munmap(0xb7efa000, 4096) = 0
open("/usr/lib/locale/en_US/LC_IDENTIFICATION", O_RDONLY) = 3
fstat64(3, {st_mode=S_IFREG|0644, st_size=378, ...}) = 0
mmap2(NULL, 378, PROT_READ, MAP_PRIVATE, 3, 0) = 0xb7efa000
close(3) = 0
open("/usr/lib/locale/en_US/LC_MEASUREMENT", O_RDONLY) = 3
fstat64(3, {st_mode=S_IFREG|0644, st_size=28, ...}) = 0
mmap2(NULL, 28, PROT_READ, MAP_PRIVATE, 3, 0) = 0xb7ef9000
close(3) = 0
open("/usr/lib/locale/en_US/LC_TELEPHONE", O_RDONLY) = 3
fstat64(3, {st_mode=S_IFREG|0644, st_size=64, ...}) = 0
mmap2(NULL, 64, PROT_READ, MAP_PRIVATE, 3, 0) = 0xb7ef8000
close(3) = 0
open("/usr/lib/locale/en_US/LC_ADDRESS", O_RDONLY) = 3
fstat64(3, {st_mode=S_IFREG|0644, st_size=160, ...}) = 0
mmap2(NULL, 160, PROT_READ, MAP_PRIVATE, 3, 0) = 0xb7ef7000
close(3) = 0
open("/usr/lib/locale/en_US/LC_NAME", O_RDONLY) = 3
fstat64(3, {st_mode=S_IFREG|0644, st_size=82, ...}) = 0
mmap2(NULL, 82, PROT_READ, MAP_PRIVATE, 3, 0) = 0xb7ef6000
close(3) = 0
open("/usr/lib/locale/en_US/LC_PAPER", O_RDONLY) = 3
fstat64(3, {st_mode=S_IFREG|0644, st_size=39, ...}) = 0
mmap2(NULL, 39, PROT_READ, MAP_PRIVATE, 3, 0) = 0xb7ef5000
close(3) = 0
open("/usr/lib/locale/en_US/LC_MESSAGES", O_RDONLY) = 3
fstat64(3, {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0
close(3) = 0
open("/usr/lib/locale/en_US/LC_MESSAGES/SYS_LC_MESSAGES", O_RDONLY) = 3
fstat64(3, {st_mode=S_IFREG|0644, st_size=57, ...}) = 0
mmap2(NULL, 57, PROT_READ, MAP_PRIVATE, 3, 0) = 0xb7ef4000
close(3) = 0
open("/usr/lib/locale/en_US/LC_MONETARY", O_RDONLY) = 3
fstat64(3, {st_mode=S_IFREG|0644, st_size=291, ...}) = 0
mmap2(NULL, 291, PROT_READ, MAP_PRIVATE, 3, 0) = 0xb7ef3000
close(3) = 0
open("/usr/lib/locale/en_US/LC_TIME", O_RDONLY) = 3
fstat64(3, {st_mode=S_IFREG|0644, st_size=2459, ...}) = 0
mmap2(NULL, 2459, PROT_READ, MAP_PRIVATE, 3, 0) = 0xb7ef2000
close(3) = 0
open("/usr/lib/locale/en_US/LC_NUMERIC", O_RDONLY) = 3
fstat64(3, {st_mode=S_IFREG|0644, st_size=59, ...}) = 0
mmap2(NULL, 59, PROT_READ, MAP_PRIVATE, 3, 0) = 0xb7ef1000
close(3) = 0
open("/usr/lib/locale/en_US/LC_CTYPE", O_RDONLY) = 3
fstat64(3, {st_mode=S_IFREG|0644, st_size=207720, ...}) = 0
mmap2(NULL, 207720, PROT_READ, MAP_PRIVATE, 3, 0) = 0xb7d19000
close(3) = 0
open("/home/dentonj/.lesshst", O_RDONLY|O_LARGEFILE) = 3
fstat64(3, {st_mode=S_IFREG|0600, st_size=54, ...}) = 0
mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1,
0) = 0xb7ef0000
read(3, ".less-history-file:\n.search\n\"rc\n"..., 4096) = 54
read(3, "", 4096) = 0
close(3) = 0
munmap(0xb7ef0000, 4096) = 0
open("/dev/tty", O_RDONLY|O_LARGEFILE) = 3
ioctl(3, SNDCTL_TMR_TIMEBASE or TCGETS, {B38400 opost isig icanon echo ...}) = 0
fsync(3) = -1 EINVAL (Invalid argument)
ioctl(3, SNDCTL_TMR_STOP or TCSETSW, {B38400 opost isig -icanon -echo ...}) = 0
rt_sigaction(SIGINT, {0x805a220, [INT], SA_RESTART}, {SIG_DFL}, 8) = 0
rt_sigaction(SIGTSTP, {0x805a260, [TSTP], SA_RESTART}, {SIG_DFL}, 8) = 0
rt_sigaction(SIGWINCH, {0x805a2a0, [WINCH], SA_RESTART}, {SIG_DFL}, 8) = 0
pipe([4, 5]) = 0
clone(child_stack=0,
flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD,
child_tidptr=0xb7d4c918) = 10823
close(5) = 0
fstat64(4, {st_mode=S_IFIFO|0600, st_size=0, ...}) = 0
mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1,
0) = 0xb7ef0000
read(4, /bin/bash: ./iptraf.txt: Permission denied
"", 1024) = 0
close(4) = 0
waitpid(10823, [{WIFEXITED(s) && WEXITSTATUS(s) == 126}], 0) = 10823
--- SIGCHLD (Child exited) @ 0 (0) ---
munmap(0xb7ef0000, 4096) = 0
stat64("
", 0xbfc68e10) = -1 ENOENT (No such file or directory)
stat64("
", 0xbfc68e90) = -1 ENOENT (No such file or directory)
open("/usr/share/locale/en_US/LC_MESSAGES/libc.mo", O_RDONLY) = -1
ENOENT (No such file or directory)
open("/usr/share/locale/en/LC_MESSAGES/libc.mo", O_RDONLY) = -1 ENOENT
(No such file or directory)
open("/home/dentonj/.lesshst", O_WRONLY|O_CREAT|O_TRUNC|O_LARGEFILE, 0666) = 4
fchmod(4, 0600) = 0
fstat64(4, {st_mode=S_IFREG|0600, st_size=0, ...}) = 0
mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1,
0) = 0xb7ef0000
write(4, ".less-history-file:\n.search\n\"rc\n"..., 54) = 54
close(4) = 0
munmap(0xb7ef0000, 4096) = 0
write(2, "\n: No such file or directory\n", 29
: No such file or directory
) = 29
fsync(3) = -1 EINVAL (Invalid argument)
ioctl(3, SNDCTL_TMR_STOP or TCSETSW, {B38400 opost isig icanon echo ...}) = 0
exit_group(1) = ?
Process 10822 detached
$
$ chmod 755 iptraf.txt
$ less iptraf.txt
./iptraf.txt: line 1: 10.1.1.1:33073: command not found
./iptraf.txt: line 2: 10.1.1.2:54356: command not found
. . .
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
