---

VNU Net: Format string bugs become a problem

By John Leyden, VNU Net

Security experts have discovered a fresh family of techniques
that could use the internationalisation features of operating
systems to attack computer systems.

These format string vulnerabilities subvert the
internationalisation features found on many operating systems as a
mechanism to obtain privileged access and run malicious code.

Programs use the localisation features to display messages in
the correct language. In normal operation, a program that needs to
display a message to the user will obtain the proper language
specific string from a database using the original message as the
search key and print the results using a particular family of
functions. But it has now been found that this can be
subverted.

By building and installing a customised message database, an
attacker can control the output of the message retrieval functions
that get fed to those family of functions.

For example, this week Argentinean security firm Core SDI issued
a security alert, Unix locale format string vulnerability, which
detailed an exploit that affects Linux and Unix systems, and can be
remotely exploited.

In a security notice Core SDI explained: “Bad coding practices
and the ability to feed format strings to the later functions makes
it possible for an attacker to execute arbitrary code as a
privileged user (root) using almost any SUID [set userID] program
on the vulnerable systems.”

The alert has triggered a string of notices from most Linux and
Unix vendors advising users how to deal with the problem.

Ivan Arce, president of Core SDI, said that format string bugs
represent a growing trend of security vulnerabilities, and were
also known to affect systems based on Microsoft NT as well as
Unix.

“Format string bugs have been known for quite some time, but
lately a ‘string’ of format string vulnerabilities has appeared,”
said Arce.

He said that while some programming knowledge is required,
format string bugs are generally not difficult to exploit.

Arce stressed that it was far from an academic issue and a
number of real-world exploits of format string vulnerabilities have
already been recorded. Format string vulnerabilities in popular
packages such as Wu-ftpd have also been recorded, he added.

Roy Hills, testing development director at security firm NTA
Monitor, said that he had yet to come across format string
vulnerabilities in the field.

“Manufacturers need to get on top of this quickly – perhaps by
restricting message libraries,” said Hills. “Everyone in the
security industry is holding their breath waiting to see how
serious format string problems will become.”