From: Andres G. <ag...@fl...> - 2012-03-09 16:10:40
|
Hi, I have found multiple format string vulnerabilities in Flightgear and Simgear. This could allow an attacker to execute arbitrary code in a Flightgear user's machine. This is possible because user controlled format string is passed directly to printf family functions without any validation. For example if I have an aircraft xml model with a section like this: <text> <name>Registration</name> <type type="string">text-value</type> <property type="string">/sim/multiplay/callsign</property> <format type="string">%s</format> <draw-text type="bool">true</draw-text> . . . </text> the format string "%s" in label <format type="string">%s</format> is passed directly to snprintf. This line can be changed for something like "%s %s %s %s" which will make Flightgear to crash. Even more if "%n" specifier* *is used, arbitrary code execution can be achieved. Until now I have found this issue in the following files: fgfs/flightgear/src/Cockpit/panel.cxx:1237 fgfs/flightgear/src/Cockpit/panel.cxx:1240 fgfs/flightgear/src/Cockpit/panel.cxx:1245 fgfs/flightgear/src/Network/generic.cxx:222 simgear/simgear/scene/model/SGText.cxx:72 simgear/simgear/scene/model/SGText.cxx:74 but others locations could also be affected. A solution for this bug would be at least to validate that "n" specifier is not present in the format string. Regards, Andrés Gómez |