rdate version 1.4 is susceptible to a format string vulnerability. Notice: It is likely that this is a benign vulnerability in that rdate is not setuid by default.
5542ec0fb3fe5a1ae95e93e3229447e7fdaee199e2c20e4244a6bae013b858fd
+-----[ Software ]-----+
'rdate' retrieves the date and time from another machine on your network,
using the RFC 868 protocol. If you run rdate as root, it will set your
machine's local time to the time of the machine that you queried.
(http://directory.fsf.org/sysadmin/remote/rdate.html)
+-----[ Version ]-----+
Version 1.4 (stable) released on 2004-04-27
+-----[ Description ]-----+
Format string vulnerability.
+-----[ Vulnerable Code ]-----+
[rdate.c]
static void writeLog(int is_error, char *format, ...)
{
va_list args;
int n;
char buf[2048];
va_start(args, format);
n = vsnprintf(buf, sizeof(buf), format, args);
va_end(args);
if(n < 1)
return; /* Error, which we can't report because this _is_ the error
reporting mechanism */
if(log_mode)
syslog(is_error?LOG_WARNING:LOG_INFO, buf); /* bad bad bad */
if(is_error || print_mode)
fprintf(is_error?stderr:stdout, "%s: %s\n", argv0, buf);
}
+-----[ Conclusion ]-----+
Virulent@siyahsapka.org:/rdate-1.4# ./rdate -l %n%n%n%n
Segmentation fault (core dumped)
+-----[ Greetings ]-----+
#coders @ irc.ttnet.net.tr
Deicide
+-----[ Contact ]-----+
http://virulent.siyahsapka.org
virulent@siyahsapka.org
+----------------------+