Page History

Two recent examples of format string vulnerabilities resulting from a violation of this rule include [Ettercap|http://ettercap.sourceforge.net/history.php] and [Samba|http://samba.org/samba/security/CVE-2007-0454.html]. In Ettercap v.NG-0.7.2, the ncurses user interface suffers from a format string defect. The {{curses_msg()}} function in {{ec_curses.c}} calls {{wdg_scroll_print()}}, which takes a format string and its parameters and passes it to {{vw_printw()}}. The {{curses_msg()}} function uses one of its parameters as the format string. This input can include user-data, allowing for a format string vulnerability \[[VU#286468|AA. C References#VU286468]\]. The Samba AFS ACL mapping VFS plug-in fails to properly sanitize user-controlled filenames that are used in a format specifier supplied to {{snprintf()}}. This security flaw becomes exploitable when a user is able to write to a share that uses Samba's {{afsacl.so}} library for setting Windows NT access control lists on files residing on an AFS file system.

\[[ISO/IEC 9899-1999|AA. C References#ISO/IEC 9899-1999]\] Section 7.19.6, "Formatted input/output functions"
\[[Seacord 05|AA. C References#Seacord 05]\] Chapter 6, "Formatted Output"
\[[Viega 05|AA. C References#Viega 05]\] Section 5.2.23, "Format string problem"
\[[VU#286468|AA. C References#VU286468]\]
\[[VU#649732|AA. C References#VU649732]\]