This idiotic library redefines snprintf() and vsnprintf() to ignore the length parameter! Thus any programs which use *nprintf() for bounds checking and link to libdb.so can be subverted! Sendmail may very well be vulnerable.
Thomas Roessler <firstname.lastname@example.org>
subvert programs which use libdb.so
Linux programs using libdb.so.1.85.4, as well as other versions.
8 July 1997
Date: Tue, 8 Jul 1997 21:33:55 +0200
From: Thomas Roessler <email@example.com>
Cc: The mutt developpers' list <firstname.lastname@example.org>, email@example.com
Subject: [linux-security] so-called snprintf() in db-1.85.4
[The following text is in the "iso-8859-1" character set]
[Your display is set for the "US-ASCII" character set]
[Some characters may be displayed incorrectly]
There is a severe problem with the db-1.85.4 library's Linux
port that can be found on sunsite.unc.edu under
/pub/Linux/libs/db-1.85.4-src.tar.gz (sp?): This library
contains a "snprintf" function which breaks down to a common
sprintf, ignoring the size parameter. Obviously, this was
thought to be a terribly bad work-around for C libraries which
don't contain an snprintf routine of their own. The
consequences of this bug are obvious: Any program which is
linked with libdb.so.1.85.4 and relies on snprintf(3) to do
it's bounds checking doesn't have any bounds checking at all.
Note that recent linux C libraries contain an snprintf(3)
function of their own which does it's job properly. Thus, the
fix is to simply remove snprintf.o from libdb.
Thomas Roessler · 74a353cc0b19 · dg1ktr · http://home.pages.de/~roessler/
1280/593238E1 · AE 24 38 88 1B 45 E4 C6 03 F5 15 6E 9C CA FD DB
The master index of all exploits is available
here (Very large file)
Or you can pick your favorite operating system:
This page is part of Fyodor's exploit
For a free program to automate scanning your network for vulnerable
hosts and services, check out my network mapping tool, nmap. Or try these Insecure.Org resouces: