Re: dump buffer overflow

[kris () HUB FREEBSD ORG (Kris Kennaway)]

On Tue, 7 Mar 2000, Lamagra Argamal wrote:

> On FreeBSD dump has the same hole i describes in my previous post.
> Only it is exploitable :-) Dump with kerberos has __atexit and
> __cleanup after all the other variables on the heap. By overwriting
> these variables you can start your shellcode.
>
> Most of the credits should go to zen-parse who found and tested this.

This was fixed on 1999/11/30 in 4.0-CURRENT by internal security auditing
and backported to 3.3-STABLE on 1999/12/13. Therefore FreeBSD 3.4 (the
most recent release) is not vulnerable.

On the one hand, I'm glad you checked FreeBSD for vulnerability, but on
the other hand it would be kinda nice to at least check the most recent
release if not the -stable branch, instead of something more than 3 months
out of date. Or failing that, to at least state which version it was that
you found to be vulnerable :-(

----------------------------
revision 1.9
date: 1999/11/10 18:11:16;  author: imp;  state: Exp;  lines: +2 -2
vsprintf -> vsnprintf in msg().
----------------------------

----------------------------
revision 1.5.2.3
date: 1999/12/13 15:53:13;  author: imp;  state: Exp;  lines: +2 -2
Back merge buffer overflow in static buffer
----------------------------

----SNIP
        (void) vfprintf(stderr, fmt, ap);
        (void) fflush(stdout);
        (void) fflush(stderr);
        (void) vsnprintf(lastmsg, sizeof(lastmsg), fmt, ap);
        va_end(ap);
----SNIP

Kris

----
In God we Trust -- all others must submit an X.509 certificate.
    -- Charles Forsythe <forsythe () alum mit edu>