Bugtraq mailing list archives
Re: [ Hackerslab bug_paper ] Linux dump buffer overflow
From: ronald () GRAFIX NL (Ronald Huizer)
Date: Sat, 4 Mar 2000 18:55:43 -0000
No. getenv() fails because *envp, argc, **argv are AFTER pathname[] buffer and gets overwritten.
Of course, it is still exploitable.
It doesn't quite look that way to me. The overflow takes place after the setuid(getuid()) call has been made. Which renders execution of shellcode useless to us. The first overflow that is encountered in this way is NOT the strpcy(pathname, disk) but the realpath() function which expects pathname to be of size MAXPATHLEN instead of a mere 255 bytes. After this the buffer is overflown again by the strcpy() call. After patching pathname to be of MAXPATHLEN size the buffer still gets overflown by the strcpy() function which should be made to a strncpy() to function properly. Full patch included (not a a workaround that just chokes in a \0 at the end of char *disk). --- main.c.old Fri Jan 21 11:17:41 2000 +++ main.c Sat Mar 4 19:42:13 2000 @@ -119,7 +119,7 @@ #ifdef __linux__ errcode_t retval; char directory[NAME_MAX]; - char pathname[NAME_MAX]; + char pathname[MAXPATHLEN]; #endif time_t tnow; char labelstr[LBLSIZE]; @@ -363,7 +363,7 @@ #ifdef HAVE_REALPATH if (realpath(disk, pathname) == NULL) #endif - strcpy(pathname, disk); + strncpy(pathname, disk, MAXPATHLEN); dt = fstabsearchdir(pathname, directory); if (dt != NULL) { char name[MAXPATHLEN]; Cheers, Ronald Huizer - ronald () grafix nl
Current thread:
- Re: [ Hackerslab bug_paper ] Linux dump buffer overflow Brett Lymn (Feb 29)
- Re: [ Hackerslab bug_paper ] Linux dump buffer overflow Joe Shaw (Mar 01)
- <Possible follow-ups>
- Re: [ Hackerslab bug_paper ] Linux dump buffer overflow H D Moore (Feb 29)
- Re: [ Hackerslab bug_paper ] Linux dump buffer overflow Derek Callaway (Mar 01)
- Foundry Networks ServerIron sequence predictability fix soon to be available Andrew van der Stock (Mar 01)
- Re: [ Hackerslab bug_paper ] Linux dump buffer overflow Przemyslaw Frasunek (Mar 01)
- Re: [ Hackerslab bug_paper ] Linux dump buffer overflow Ronald Huizer (Mar 04)
- OpenLinux 2.3: rpm_query harikiri (Mar 04)
- Re: [ Hackerslab bug_paper ] Linux dump buffer overflow Eugene Teo (Mar 02)
- Re: [ Hackerslab bug_paper ] Linux dump buffer overflow Derek Callaway (Mar 02)
- Re: [ Hackerslab bug_paper ] Linux dump buffer overflow Przemyslaw Frasunek (Mar 03)
- Potential security problem with mtr Viktor Fougstedt (Mar 03)
- Re: Potential security problem with mtr LaMont Jones (Mar 03)
- Re: Potential security problem with mtr Viktor Fougstedt (Mar 03)
- [RHSA-2000:006-01] New nmh packages available bugzilla () REDHAT COM (Mar 06)
- Microsoft Security Bulletin (MS00-015) Microsoft Product Security (Mar 06)
- @Stake Advisory: Microsoft Office 2000 ClipArt Vulnerablity Weld Pond (Mar 07)
- Re: [ Hackerslab bug_paper ] Linux dump buffer overflow Derek Callaway (Mar 02)