Bugtraq mailing list archives
Re: Babcia Padlina Ltd. security advisory: mars_nwe buffer
From: huuskone () CC HELSINKI FI (Taneli Huuskonen)
Date: Thu, 2 Sep 1999 05:21:59 +0300
-----BEGIN PGP SIGNED MESSAGE----- Przemyslaw Frasunek writes: @@ -103,11 +103,11 @@ uint8 command[500]; struct stat statb; if (!stat(newname, &statb)) return(EEXIST); if (stat(oldname, &statb)) return(-1); else if (!S_ISDIR(statb.st_mode)) return(-1); - - sprintf(command, "mv %s %s 2>&1 >/dev/null" , oldname, newname); + snprintf(command, sizeof(command)-1, "mv %s %s 2>&1 >/dev/null" , oldname, newname); return(system(command)); } Without seeing the context, I can't say for sure, but this looks like a hole big enough to drive a truck through - calling system( ) with user-supplied arguments. If this code is running with superuser privileges and shell metacharacters haven't been removed very carefully, there's going to be a trivial exploit. -----BEGIN PGP SIGNATURE----- Version: 2.6.3i Charset: noconv iQB1AwUBN83eygUw3ir1nvhZAQGNzQL/cP/NqiAyq9Pmf5QhPCvSGdbE9LFukkZ+ bJDqmaiQ9l7P/GZcUT1wkEsvE+pS2HI+g6sKyqFzcMgpmov7ojX9oHtpfFdqgJdX djlXi5LI1PKS4/0jVcUBNQt6mInRyHHO =Jf2q -----END PGP SIGNATURE----- -- I don't | All messages will be PGP signed, | Fight for your right to speak for | encrypted mail preferred. Keys: | use sealed envelopes. the Uni. | http://www.helsinki.fi/~huuskone/ | http://www.gilc.org/
Current thread:
- Babcia Padlina Ltd. security advisory: mars_nwe buffer overf Przemyslaw Frasunek (Aug 30)
- amd remote root exploit code Taeho Oh (Sep 01)
- Re: Babcia Padlina Ltd. security advisory: mars_nwe buffer Taneli Huuskonen (Sep 01)
- Re: Babcia Padlina Ltd. security advisory: mars_nwe bu Przemyslaw Frasunek (Sep 03)
- Information on SCO and the Netscape vulnerabilities. Aaron Sigel (Sep 02)