Bugtraq mailing list archives
Re: local root on linux 2.2.15
From: peter () SCARYDEVIL ORG (Peter da Silva)
Date: Thu, 15 Jun 2000 10:44:07 -0500
In article <87bt184i7z.fsf () arabella intern opera no> you write:
Always check the return value of system calls. Always. Always. Always.
[...]
cap_user_header_t header; cap_user_data_t data; header = malloc(8); data = malloc(12); header->pid = 0; header->version = _LINUX_CAPABILITY_VERSION; data->inheritable = data->effective = data->permitted = 0;
Two bugs here: 1. If sizeof(cap_user_header_t) or sizeof(cap_user_data_t) increases, you'll get a buffer overflow in the malloc()ed data. This isn't as bad as a buffer overflow on stack, because it's almost impossible to exploit for anything but a DOS attack, but it's easy to avoid: header = malloc(sizeof (cap_user_header_t) ); data = malloc(sizeof (cap_user_data_t) ); 2. Ironically, you're not checking the return value of a system call, namely brk() or sbrk() (or maybe mmap(), depending on how they're implementing malloc() in Lunix these days). Before using header or data, check that malloc() succeeded. if(! (header = malloc(sizeof (cap_user_header_t) ) ) ) { perror("malloc: header"); return or exit(); } if(! (data = malloc(sizeof (cap_user_data_t) ) ) ) { perror("malloc: data"); return or exit(); }
capset(header, data);
I don't have a recent Linux box to check, but isn't this a system call? If this fails, what happens? In the sample code, nothing bad... but if you don't get in the habit of automatically writing robust code you're going to be reading one of these alerts some day with your name on it... as the victim. (and if I missed something in the code above, go ahead and stamp all over my face, I know I've shipped broken code broken in the past... they say there's no saint like a converted sinner)
Current thread:
- Mcafee Alerting DOS vulnerability, (continued)
- Mcafee Alerting DOS vulnerability Harry Schmilllson (Jun 07)
- Re: local root on linux 2.2.15 Wojciech Purczynski (Jun 08)
- Re: local root on linux 2.2.15 Tomasz Grabowski (Jun 08)
- Re: local root on linux 2.2.15 Philip Guenther (Jun 08)
- Re: local root on linux 2.2.15 Wojciech Purczynski (Jun 12)
- Re: local root on linux 2.2.15 Jeff Dafoe (Jun 14)
- Re: local root on linux 2.2.15 Wojciech Purczynski (Jun 14)
- MS-040 'proof of concept' code Renaud Deraison (Jun 13)
- Re: local root on linux 2.2.15 Peter da Silva (Jun 15)
- Re: local root on linux 2.2.15 Firstname Lastname (Jun 15)
- Re: local root on linux 2.2.15 Robert Watson (Jun 18)
- Net Tools PKI server exploits Jim Stickley (Jun 19)
- XFree86: libICE DoS Chris Evans (Jun 19)
- XFree86: Various nasty libX11 holes Chris Evans (Jun 19)
- XFree86: xdm flaw; present in kdm Chris Evans (Jun 19)
- XFree86: xdm xdmcp code in wdm also Brian Russo (Jun 20)
- Re: XFree86: xdm xdmcp code in wdm also Jerome ALET (Jun 20)