Page History

Two recent examples of format string vulnerabilities resulting from a violation of this rule include [Ettercap|http://ettercap.sourceforge.net/history.php] and [Samba|http://samba.org/samba/security/CVE-2007-0454.html]. In Ettercap v.NG-0.7.2, the ncurses user interface suffers from a format string defect. The {{curses_msg()}} function in {{ec_curses.c}} calls {{wdg_scroll_print()}}, which takes a format string and its parameters and passes it to {{vw_printw()}}. The {{curses_msg()}} function uses one of its parameters as the format string. This input can include user-data, allowing for a format string vulnerability \[[VU#286468|http://www.kb.cert.org/vulnotes/id/286468]\]. The Samba AFS ACL mapping VFS plug-in fails to properly sanitize user-controlled file names that are used in a format specifier supplied to {{snprintf()}}. This security flaw becomes exploitable when a user is able to write to a share which uses Samba's {{afsacl.so}} library for setting Windows NT access control lists on files residing on an AFS file system.