Bugtraq mailing list archives
possible freebsd su problem?
From: taz () primenet com (taz)
Date: Thu, 6 Nov 1997 11:30:02 -0600
This message is in MIME format. The first part should be readable text, while the remaining parts are likely unreadable without MIME-aware tools. Send mail to mime () docserver cac washington edu for more info. --0-811098522-878836495=:18568 Content-Type: TEXT/PLAIN; CHARSET=US-ASCII Content-ID: <Pine.BSF.3.96.971106113000.18568I () cows mc net> I checked the archives, not a word of this was to be found so here goes. First off, my o/s: FreeBSD xxxxxx 2.2.1-RELEASE Upon running su today, which is obviously setuid on most systems, I used the argument '--' instead of '-'. This caused it to seg fault. I ran gdb on it and found the problem was in a getpwnam() call. here is the source. -- FreeBSD su.c (line 175)-- } /* get target login information, default to root */ ---> if ((pwd = getpwnam(user)) == NULL) { <--- errx(1, "unknown login: %s", user); } -- end -- It turns out an earlier call to getopt() returns eof, yet it still thinks it has an extra argument for the username, which it doesnt, so it points user to argv[2], which is null. It then calls getpwnam() with the null argument, as shown in the code, and the getpwnam() function in libc tries to do an strlen() on the null pointer and seg faults. End of program. Exploitable in any way? I have no idea. I would be very interesting in comments on this if it is exploitable. Attached to this is a small patch which checks to see if user is valid or not before making the getpwnam() call. Again this patch is meant for FreeBSD su only. I tried this same thing on sun and linux and it didnt seem to work. -taz ------------------------------------------------------------------------ taz on IRC taz () dal net --0-811098522-878836495=:18568 Content-Type: TEXT/PLAIN; CHARSET=US-ASCII; NAME="su.patch" Content-Transfer-Encoding: BASE64 Content-ID: <Pine.BSF.3.96.971106111455.18568D () cows mc net> Content-Description: LS0tIHN1LmMJVGh1IE5vdiAgNiAxMTowNTozNyAxOTk3DQorKysgZ29vZHN1 LmMJVGh1IE5vdiAgNiAxMTowNDozMiAxOTk3DQpAQCAtMTc0LDYgKzE3NCwx MCBAQA0KIAkJCWlzY3NoID0gTk87DQogCQl9DQogDQorCS8qIGlmIHVzZXIg aXMgbnVsbCwgZXhpdCAqLw0KKwlpZighdXNlcikNCisJCWVycngoMSwgInN5 bnRheCBlcnJvciIpOw0KKw0KIAkvKiBnZXQgdGFyZ2V0IGxvZ2luIGluZm9y bWF0aW9uLCBkZWZhdWx0IHRvIHJvb3QgKi8NCiAJaWYgKChwd2QgPSBnZXRw d25hbSh1c2VyKSkgPT0gTlVMTCkgew0KIAkJZXJyeCgxLCAidW5rbm93biBs b2dpbjogJXMiLCB1c2VyKTsNCg== --0-811098522-878836495=:18568--
Current thread:
- MIT Kerberos V5 R1.0.2 is released Aleph One (Nov 02)
- Re: MIT Kerberos V5 R1.0.2 is released Erwin J. van Eijk (Nov 06)
- Re: MIT Kerberos V5 R1.0.2 is released Martin Mokrejs (Nov 06)
- Re: MIT Kerberos V5 R1.0.2 is released Elliot Lee (Nov 07)
- Re: MIT Kerberos V5 R1.0.2 is released Martin Mokrejs (Nov 06)
- possible freebsd su problem? taz (Nov 06)
- Re: MIT Kerberos V5 R1.0.2 is released Erwin J. van Eijk (Nov 06)