COMMAND

    pwc

SYSTEMS AFFECTED

    pwc

PROBLEM

    Wojtek Pawlikowski found following.  There is a format string  bug
    in 'pwc' (ftp://ftp.media-com.com.pl/pub/other/pwc.tar.gz).   This
    CGI  script  is  used  to  change  users password via www (blah!).
    writelog() call syslog() function, which 'eats' characters and log
    it to system logs.  But you can paste shellcode into  buffers[512]
    and syslog() will run it without any problems.

        void writelog(const char *fmt, ...)
        {
	        va_list args;
	        char buffers[512];
        
	        va_start(args, fmt);
        
	        openlog(SERVICENAME, LOG_PID | LOG_CONS | LOG_NOWAIT | LOG_AUTH);
	        vsnprintf(buffer, 512, fmt, args);
	        syslog(LOG_ERR, buffer);
	        closelog();
	        return;
	        va_end(args);
        }

    As you can see this is potential security bug.

SOLUTION

    Change

        syslog(LOG_ERR, buffer);

    to

        syslog(LOG_ERR, "%s", buffer);