CVE-2003-0363

Step 1: Payload Delivery: The attacker crafts a malicious message containing format string specifiers (e.g., %x, %s, %n). Step 2: Message Transmission: The attacker sends the crafted message to a target user of the vulnerable LICQ client. Step 3: Message Processing: The vulnerable LICQ client receives the message and processes it, likely displaying it to the user. Step 4: Vulnerability Trigger: The LICQ client passes the attacker-controlled message, including the format string specifiers, to a function like printf or fprintf without proper sanitization. Step 5: Memory Manipulation: The format string specifiers are interpreted by the printf or fprintf function, allowing the attacker to read from or write to arbitrary memory locations. Step 6: Code Execution (Potential): If the attacker successfully crafts a payload that overwrites a function pointer or other critical data, they can achieve arbitrary code execution, gaining control of the compromised system.

The vulnerability stems from improper handling of user-supplied input within the LICQ application. Specifically, the software fails to sanitize format string specifiers before passing them to functions like printf or fprintf. This allows an attacker to inject malicious format string characters (e.g., %x, %s, %n) into a message. These specifiers can then be used to read from or write to arbitrary memory locations, potentially leading to arbitrary code execution, information disclosure, or a denial-of-service condition. The root cause is a lack of input validation and sanitization, allowing attacker-controlled data to influence the program's behavior. The absence of proper bounds checking on the input further exacerbates the risk, enabling the attacker to manipulate the program's memory and potentially overwrite critical data structures.