Format string vulnerabilities

OutCast

i’ve been looking through flhook srcs on googlecode almost all day today, and recalled that i wanted to write here about these vulnerabilities sometime ago, but it seems that i forgot

So…
there’re numerous format strings in different places in flhook that user can define. I can’t remember where, 'cause i’ve fixed them quite sometime ago. I just searched through files for all functions that can accept various number of parameters, and then searched for bad calls to these functions.

Here you can see an example of the bug: http://code.google.com/p/flhookplugin/source/browse/trunk/source/HkCbIServerImpl.cpp#182
For those, who don’t know what is it and how to fix it:
if user would print string ‘%s’ in chat then ProcessEvent would think that second parameter must be a pointer to string to insert in place of %s.
But there is no second parameter, so function is likely to go by wrong address and cause an exception.
I didn’t manage to i.e. execute admin command through that or even crush server since flhook is well-exception-protected but i think it’s better to fix it anyway.

Solution is very simple, just replace that call in the code to this:```
ProcessEvent(L"%s", wscEvent.c_str());

w0dk4

Dont you want to commit those changes yourself to the SVN? (just give me account name and I add you)

OutCast

Um… i’m having kinda vacation now ;D and besides that i don’t have computer to install svn client and don’t even have normal keyboard for coding (macbook’s doesn’t have brackets and braces :o).

So… i can take a look when i get back home

OutCast

Done

w0dk4

cool