exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New


Posted Mar 23, 2002
Authored by Wojciech Purczynski | Site isec.pl

Libsafe protection against format string exploits may be easily bypassed using flag characters that are implemented in glibc but are not implemented in libsafe. Example exploit code included. Libsafe v2.0-12 fixes the issue.

SHA-256 | 67243630ffbf72dec1fb961dd0c2684be8255858ba9eac121ed463abc80f0bb6


Change Mirror Download
Hash: SHA1

Name: libsafe
Version: up to 2.0-11
URL: http://www.research.avayalabs.com/project/libsafe/
Author: Wojciech PurczyƱski <cliph@isec.pl>
Date: March 14, 2002


Libsafe provides ineffective protection against format string exploit
attacks that may be trivially bypassed.


The libsafe library protects a process against the exploitation of buffer
overflow vulnerabilities in process stacks. Libsafe works with any
existing pre-compiled executable and can be used transparently, even on a
system-wide basis. The method intercepts all calls to library functions
that are known to be vulnerable. A substitute version of the corresponding
function implements the original functionality, but in a manner that
ensures that any buffer overflows are contained within the current stack
frame. Libsafe has been shown to detect several known attacks and can
potentially prevent yet unknown attacks.



Libsafe protection against format string exploits may be easily bypassed
using flag characters that are implemented in glibc but are not
implemented in libsafe.

These flags definied in SUSv2 are not defined in C standard (quoting from
printf(3) manpage):

' For decimal conversion (i, d, u, f, F, g, G) the
output is to be grouped with thousands' grouping
characters if the locale information indicates any.
Note that many versions of gcc cannot parse this
option and will issue a warning. SUSv2 does not
include %'F.

I For decimal integer conversion (i, d, u) the output
uses the locale's alternative output digits, if any
(for example, Arabic digits). However, it does not
include any locale definitions with such outdigits
defined. (glibc 2.2 only)

Example exploit:

printf("%'n", &target);
printf("%In", &target);


Libsafe *printf function wrappers incorrectly parse argument indexing in
format strings. They always assume that the n-th conversion specification
uses n-th argument and does not properly count real number of arguments
used. Thus, arguments, whose index numbers are above the total number of
conversion specifications, are not verified at all.

Example exploit:

printf("%2$n", "unused argument", &target);

Total number of % format string used: 1 ("%2$n")
Number of argument used: 2


On March 18, 2002 new version of libsafe 2.0-12 has been released fixing
above security issue.

- --
Wojciech Purczynski
iSEC Security Research

Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org


Login or Register to add favorites

File Archive:

September 2022

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Sep 1st
    23 Files
  • 2
    Sep 2nd
    12 Files
  • 3
    Sep 3rd
    0 Files
  • 4
    Sep 4th
    0 Files
  • 5
    Sep 5th
    10 Files
  • 6
    Sep 6th
    8 Files
  • 7
    Sep 7th
    30 Files
  • 8
    Sep 8th
    14 Files
  • 9
    Sep 9th
    26 Files
  • 10
    Sep 10th
    0 Files
  • 11
    Sep 11th
    0 Files
  • 12
    Sep 12th
    5 Files
  • 13
    Sep 13th
    28 Files
  • 14
    Sep 14th
    15 Files
  • 15
    Sep 15th
    17 Files
  • 16
    Sep 16th
    9 Files
  • 17
    Sep 17th
    0 Files
  • 18
    Sep 18th
    0 Files
  • 19
    Sep 19th
    12 Files
  • 20
    Sep 20th
    15 Files
  • 21
    Sep 21st
    20 Files
  • 22
    Sep 22nd
    13 Files
  • 23
    Sep 23rd
    12 Files
  • 24
    Sep 24th
    0 Files
  • 25
    Sep 25th
    0 Files
  • 26
    Sep 26th
    30 Files
  • 27
    Sep 27th
    0 Files
  • 28
    Sep 28th
    0 Files
  • 29
    Sep 29th
    0 Files
  • 30
    Sep 30th
    0 Files

Top Authors In Last 30 Days

File Tags


packet storm

© 2022 Packet Storm. All rights reserved.

Hosting By