#16375: Format String Bug cause DoS and RCE
----------------------------------+--------------------------
Reporter: douro | Owner: mmu_man
Type: bug | Status: new
Priority: normal | Milestone: Unscheduled
Component: Applications/CodyCam | Version:
Keywords: | Blocked By:
Blocking: | Platform: All
----------------------------------+--------------------------
[https://git.haiku-os.org/haiku/tree/src/apps/codycam/FtpClient.cpp#n86]
printf with unspecified format-string cause AAW and in this code, `buf` is
filename in remote server.
If Attacker has the access for ftp-server, with many file named format-
string Attacker can bruteforce stack address and libc-address and return-
address one time so this bug has availability for evil code.
This is In general talk in system using glibc-printf.
I don't have a web-camera matching this OS so can't reproduce stack trace,
but verified `printf("aaaaa%1$n%2$n%3$n");` cause crash in All version.
In the end `printf("%s", buf);` seems to be better code.
--
Ticket URL: <https://dev.haiku-os.org/ticket/16375>
Haiku <https://dev.haiku-os.org>
The Haiku operating system.