Bugtraq mailing list archives
mount/umount realpath() buffer overflow
From: davem () iss net (David J. Meltzer)
Date: Tue, 13 Aug 1996 10:42:34 -0400
The problem "bloodmask" "discovered" (this bug has been exploited and reported as a possible problem on linux-security before "bloodmask" seems to have found it) with mount/umount has been in the libc realpath() function failing to check bounds on the path parameter passed to it. This function ws duplicated with the identical code inside the mount distribution, and then not used for some reason I don't understand; in fact the code will compile cleanly if you simply rm realpath.c from the mount distribution. However since people are more likely to upgrade their mount/umount code than libc, it is probably wise at this point to leave a corrected version of realpath.c in the distribution to avoid relying on a very likely broken libc. For the mount distribution (from mount-util-linux-1.10.tar.gz), the diff for a bounds checking realpath.c is: 82c82 < strcpy(copy_path, path); ---
strncpy(copy_path, path, PATH_MAX);
165c165 < strcpy(copy_path, link_path); ---
strncpy(copy_path, link_path, PATH_MAX);
You then need to add realpath to the Makefile: 62c62 < mount: mount.o fstab.o sundries.o version.o $(NFS_OBJS) $(LO_OBJS) ---
mount: mount.o fstab.o sundries.o version.o realpath.o $(NFS_OBJS)
$(LO_OBJS) 65c65 < umount: umount.o fstab.o sundries.o version.o $(LO_OBJS) ---
umount: umount.o fstab.o sundries.o version.o realpath.o $(LO_OBJS)
77a78,80
realpath.o: realpath.c
$(COMPILE) $(RPC_CFLAGS) realpath.c
In the basically identical libc bsd/realpath.c code (looking at a 5.0.9 source tree, perhaps this was changed/fixed already in newer versions): 72c72 < strcpy(copy_path, path); ---
strncpy(copy_path, path, PATH_MAX);
155c155 < strcpy(copy_path, link_path); ---
strncpy(copy_path, link_path, PATH_MAX);
I believe this fixes the exploited buffer overflow in realpath.c, I would
of course encourage you to review the source code yourself for ANY program
you are going to add suid on your system. Other problems that may exist
elsewhere in the mount/umount code I have not examined, as with any
program, if you do not have a specific need to run it suid root, don't.
Dave
--------------------------------+---------------------
David J. Meltzer | Email: davem () iss net
Systems Engineer | Web: www.iss.net
Internet Security Systems, Inc. | Fax: (404)252-2427
Current thread:
- mail storm, (continued)
- mail storm Dan Stromberg (Aug 12)
- Re: mail storm Dan Stromberg (Aug 12)
- Re: mail storm Arik Baratz (Aug 13)
- Re: mail storm Albert Lunde (Aug 12)
- Re: mail storm Igor Chudov @ home (Aug 12)
- Vulnrability in all known Linux distributions bloodmask (Aug 12)
- Re: Vulnrability in all known Linux distributions Steve Czetty (Aug 13)
- Re: Vulnrability in all known Linux distributions Alan Brown (Aug 13)
- Re: Vulnrability in all known Linux distributions Elliot Lee (Aug 13)
- Re: Vulnrability in all known Linux distributions Alan Cox (Aug 14)
- mail storm Dan Stromberg (Aug 12)
- mount/umount realpath() buffer overflow David J. Meltzer (Aug 13)
- Possible bufferoverflow condition in lpr, xterm and xload bloodmask (Aug 12)
- Re: Possible bufferoverflow condition in lpr, xterm and xload Digital Dreamer (Aug 12)
- Re: Possible bufferoverflow condition in lpr, xterm and xload Casper Dik (Aug 13)
- Re: Possible bufferoverflow condition in lpr, xterm and xload Mike Acar (Aug 13)
- Re: Possible bufferoverflow condition in lpr, xterm and xload Elliot Lee (Aug 13)
- why suid mount (was Re: Possible bufferoverflow condition in lpr, Bryan Reece (Aug 13)
- Re: Possible bufferoverflow condition in lpr, xterm and xload Christopher Masto (Aug 14)
- Re: Possible bufferoverflow condition in lpr, xterm and xload Brian Tao (Aug 15)
- Re: Possible bufferoverflow condition in lpr, xterm and xload *Unknown* (Aug 17)
- Re: libresolv+ bug Theo Van Dinter (Aug 17)