Clarify Benchmark: gzprintf

This is a micro-benchmark that exercises the gzprintf function in zlib version 1.1.3. This version of the zlib library has a bug where calls to gzprintf use a fixed sized buffer that can be overflowed. Each error class has a warm up phase, and a security expoit. The warm up phase represent normal use of the gzprintf function by a program that links in zlib. In this phase, gzprintf is called a random number of times with random arguments and a random choice of 8 format strings. The exploits are listed below. All exploits are from code discovered on the internet.

Error classes

Class Error message Cause
Normal No exploit  
Shell exploit Produces a root shell Large buffer with shell code
Crash exploit 1 Crashes program large string formatting argument, "%10240s"
Crash exploit 2 Crashes program Large buffer with garbage

Back to Clarify

Last modified: Fri Sep 15 13:48:47 CDT 2006