[Flightgear-devel] Flightgear and Simgear multiple format string vulnerabilities

[Andres G. <ag...@fl...>]

Hi,

I have found multiple format string vulnerabilities in Flightgear and
Simgear. This could allow an attacker to execute arbitrary code in a
Flightgear user's machine. This is possible because user controlled format
string is passed directly to printf family functions without any
validation.  For example if I have an aircraft xml model with a section
like this:


<text>
    <name>Registration</name>
    <type type="string">text-value</type>
    <property type="string">/sim/multiplay/callsign</property>
    <format type="string">%s</format>
    <draw-text type="bool">true</draw-text>
    .
    .
    .
</text>

the format string "%s" in label

<format type="string">%s</format>

is passed directly to snprintf. This line can be changed for something like
"%s %s %s %s" which will make Flightgear to crash. Even more if "%n"
specifier* *is used, arbitrary code execution can be achieved. Until now I
have found this issue in the following files:

fgfs/flightgear/src/Cockpit/panel.cxx:1237
fgfs/flightgear/src/Cockpit/panel.cxx:1240
fgfs/flightgear/src/Cockpit/panel.cxx:1245
fgfs/flightgear/src/Network/generic.cxx:222

simgear/simgear/scene/model/SGText.cxx:72
simgear/simgear/scene/model/SGText.cxx:74

but others locations could also be affected. A solution for this bug would
be at least to validate that "n" specifier is not present in the format
string.

Regards,

Andrés Gómez