A vulnerability exists in a component of TIS Firewall Toolkit, a set of utilities which assists in the implementation of network firewalls. The x-gw (X-Windows Gateway) component of FWTK contains a format string bug which, depending on the method used to invoke x-gw, can permit an attacker to execute arbitrary code. When x-gw is directed to connect to a given X Windows display, the name of the desired display is supplied by the user either as a command line parameter or as an environment variable. If this input fails validity checks, an error message is displayed which includes the invalid user-supplied input. A format bug in the pmsg() function (x-gw/pmsg.c) used to display this message can permit maliciously-formed input to overwrite stack variables, such as the calling function's return address, with arbitrary values that can alter the program's flow of execution. Note that if If x-gw is invoked with the telnet gateway component (tn-gw), certain checks on user input will...
A vulnerability exists in a component of TIS Firewall Toolkit, a set of utilities which assists in the implementation of network firewalls. The x-gw (X-Windows Gateway) component of FWTK contains a format string bug which, depending on the method used to invoke x-gw, can permit an attacker to execute arbitrary code. When x-gw is directed to connect to a given X Windows display, the name of the desired display is supplied by the user either as a command line parameter or as an environment variable. If this input fails validity checks, an error message is displayed which includes the invalid user-supplied input. A format bug in the pmsg() function (x-gw/pmsg.c) used to display this message can permit maliciously-formed input to overwrite stack variables, such as the calling function's return address, with arbitrary values that can alter the program's flow of execution. Note that if If x-gw is invoked with the telnet gateway component (tn-gw), certain checks on user input will eliminate this vulnerability. However, systems using other methods to start x-gw may be vulnerable, and should be carefully checked.
