From: Andres G. <ag...@fl...> - 2012-03-22 15:46:00
|
Hi, I agree with Olaf. Both format strings and buffer overflow in Rotor.cpp could allow user-assisted remote attackers to execute arbitrary code, if flightgear's users download material (aircraft, airports, etc) from an untrusted web page or even an e-mail. Take a look of a vulnerability I found before which is very similar: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-4620 No to mention the buffer overflow in SGSocketUDP (simgear) which could be exploitable by networks packets, without user assistance. Something important to note is that not every sprintf is vulnerable, so there is no need to change them all, but just those which are vulnerable. Also It is true that flightgear is supposed to run in user's context but very often user and administrative context are used as the same, specially in windows. Anyway always can exist a way to scale privileges ;) Here an example of format string exploitation and privilege escalation: http://www.vnsecurity.net/2012/02/exploiting-sudo-format-string-vunerability/ Regards. Andres Gomez 2012/3/20 Olaf Flebbe <fg...@of...> > Hi Torsten, > > I am quite sure Flightgear has remote exploitable bugs. > > Think about social attack vectors like custom sceneries, special interest > aircraft models. And the multiplayer protocol, or the httpd server .... > Running malicious code in user context is bad enough... > > Olaf > > > > > > This is low priority, because the possible code injection can only > > happen by the user itself and usually not over the (inter)net. And > > FlightGear is supposed to run in the user's context which should add > > some extra safety. (Never run fgfs as root or Administrator!) > > > > > > ------------------------------------------------------------------------------ > This SF email is sponsosred by: > Try Windows Azure free for 90 days Click Here > http://p.sf.net/sfu/sfd2d-msazure > _______________________________________________ > Flightgear-devel mailing list > Fli...@li... > https://lists.sourceforge.net/lists/listinfo/flightgear-devel > -- -- AVISO DE CONFIDENCIALIDAD: Esta transmisión se entiende para uso del destinatario o la entidad a la que va dirigida y puede contener información confidencial o protegida por la ley. Si el lector de este mensaje no fuera el destinatario, considérese por este medio informado que la retención, difusión, o copia de este correo electrónico está estrictamente prohibida. Si recibe este mensaje por error, por favor notifique inmediatamente al emisor y destruya el original. Gracias -- CONFIDENTIALITY NOTICE: This transmission is intended for the use of the individual or entity to which it is addressed, and it may contain information that is confidential or privileged under law. If the reader of this message is not the intended recipient, you are hereby notified that retention, dissemination, distribution or copying of this e-mail is strictly prohibited. If you received this e-mail in error, please notify the sender immediately and destroy the original. Thank you. |