[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: PFinger 0.7.8 format string vulnerability (#NISR16122002B)

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: RE: PFinger 0.7.8 format string vulnerability (#NISR16122002B)
From: Stefan Esser <s.esser@xxxxxxxxxxxx>
Date: Mon, 16 Dec 2002 21:39:32 +0100
Delivered-to: mailing list bugtraq@xxxxxxxxxxxxxxxxx
Delivered-to: moderator for bugtraq@xxxxxxxxxxxxxxxxx
Delivery-date: Mon, 16 Dec 2002 21:51:58 +0100
Envelope-to: bugtraq@xxxxxxxxxxxxxxxxxxxxxxxxxxxxx
In-reply-to: <002001c2a53d$07a90260$2601010a@xxxxxxxxxxxxxxx>
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
User-agent: Mutt/1.4i

Hello,

> Due to the way requests are logged the only way to exploit this
> vulnerability is through setting the DNS name of the fingering host to the
> attacker supplied format string.

I really wonder how you want to exploit this... Last time I checked
all tested resolvers (Linux/BSD/Solaris) did not allow % within domain
names and so your format string vulnerability is not exploitable at all...

Stefan Esser

Follow-Ups:
- Re: PFinger 0.7.8 format string vulnerability (#NISR16122002B)
  - From: der Mouse
- Re: PFinger 0.7.8 format string vulnerability (#NISR16122002B)
  - From: Valdis . Kletnieks

References:
- PFinger 0.7.8 format string vulnerability (#NISR16122002B)
  - From: NGSSoftware Insight Security Research

Prev by Date: zkfingerd 0.9.1 format string vulnerabilities (#NISR16122002A)
Next by Date: [CLA-2002:554] Conectiva Linux Security Announcement - fetchmail
Previous by thread: PFinger 0.7.8 format string vulnerability (#NISR16122002B)
Next by thread: Re: PFinger 0.7.8 format string vulnerability (#NISR16122002B)
Index(es):
- Date
- Thread