Full Disclosure mailing list archives
Re: ltrace bug
From: Andrés Roldán <aroldan () debian org>
Date: Tue, 07 Oct 2003 17:06:22 -0500
This seems to be fixed in the latest version: aroldan@volatile:~$ ltrace -V ltrace version 0.3.30. Copyright (C) 1997-2002 Juan Cespedes <cespedes () debian org>. This is free software; see the GNU General Public Licence version 2 or later for copying conditions. There is NO warranty. "Abhisek Datta" <abhisek () linuxmail org> writes:
********************************* BFI Security Research Group ********************************* Vulnerability: ============== A heap based buffer overrun bug is identified in ltrace 'Library Call Tracer' utility version 0.3.10-12 which allows execution of arbitrarty code with root privilage by corrupting the heap. Affected Versions: ================= So far now only tested version 0.3.10-12 on RedHat Linux 8 (2.4.18-14) seems to be vulnerable to this approach. Description: ============ There seems to exists a heap based buffer overflow vulenrability in ltrace utility version 0.3.10-12. Based on my research so far, I think the bug is in static char *search_for_command(char * filename) function in options.c . [root@localhost codes]# rpm -qa |grep ltrace ltrace-0.3.10-12 [root@localhost codes]# ltrace -V ltrace version 0.3.11. Copyright (C) 1997-1999 Juan Cespedes <cespedes () debian org>. This is free software; see the GNU General Public Licence version 2 or later for copying conditions. There is NO warranty. [root@localhost codes]# cp `which ltrace` ltrace [root@localhost codes]# ltrace ./ltrace `perl -e 'print "A"x6000'` __libc_start_main(0x08049a40, 2, 0xbfff7f84, 0x08048f30, 0x08057644 <unfinished ...> getpid() = 2487 __cxa_atexit(0x08049cf0, 0, 0, 0x0805b860, 0x420aedf0) = 0 signal(2, 0x08049c10) = NULL signal(15, 0x08049c10) = NULL getopt_long(2, 0xbfff7f84, "+dfiLSrthVCa:s:o:u:p:e:", 0x0805b060, 0xbfff6f08) = -1 strchr("AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"..., '/') = NULL getenv("PATH") = "/usr/local/sbin:/usr/local/bin:/"... strchr("/usr/local/sbin:/usr/local/bin:/"..., ':') = ":/usr/local/bin:/sbin:/bin:/usr/"... strncpy(0x0805b880, "/usr/local/sbin", 15) = 0x0805b880 strcpy(0x0805b890, "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"... <unfinished ...> --- SIGSEGV (Segmentation fault) --- +++ killed by SIGSEGV +++ ltrace 0.3.11 src ================== options.c : static char *search_for_command(char * filename) { static char pathname[1024]; char *path; int m, n; if (strchr(filename, '/')) { return filename; for (path = getenv("PATH"); path && *path; path += m) { if (strchr(path, ':')) { n = strchr(path, ':') - path; m = n + 1; } else { m = n = strlen(path); strncpy(pathname, path, n); if (n && pathname[n - 1] != '/') { pathname[n++] = '/'; strcpy(pathname + n, filename); /* Possible buffer overrun */ if (!access(pathname, X_OK)) { return pathname; return filename; } Seems like there is no bound checking for the length of filename which is passed as parameter to the function.Version 0.3.20 implements bound checking before for(path = getenv("PATH"); path && *path; path += m) and hence cannot be exploited this way. The exploitation of this bug doesnt appear to be a simple one and conventional heap based overun exploitation techniques probably wont work. by Abhisek Datta abhisek () bfisecure com BFI Security Research Group India -- ______________________________________________ http://www.linuxmail.org/ Now with e-mail forwarding for only US$5.95/yr Powered by Outblaze _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
-- Andres Roldan <aroldan () debian org> GPG Key-ID: 0xB29396EB
Attachment:
_bin
Description:
Current thread:
- ltrace bug Abhisek Datta (Oct 07)
- Re: ltrace bug Andrés Roldán (Oct 07)
- Re: ltrace bug Jirka Kosina (Oct 07)