From owner-freebsd-bugs@FreeBSD.ORG Sun Apr 4 15:00:39 2004 Return-Path: Delivered-To: freebsd-bugs@hub.freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8B36B16A4CE for ; Sun, 4 Apr 2004 15:00:39 -0700 (PDT) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6F23843D5E for ; Sun, 4 Apr 2004 15:00:39 -0700 (PDT) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) i34M0dbv044058 for ; Sun, 4 Apr 2004 15:00:39 -0700 (PDT) (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.12.10/8.12.10/Submit) id i34M0d01044055; Sun, 4 Apr 2004 15:00:39 -0700 (PDT) (envelope-from gnats) Resent-Date: Sun, 4 Apr 2004 15:00:39 -0700 (PDT) Resent-Message-Id: <200404042200.i34M0d01044055@freefall.freebsd.org> Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer) Resent-To: freebsd-bugs@FreeBSD.org Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org, Serge van den Boom Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1430016A4CE for ; Sun, 4 Apr 2004 14:55:59 -0700 (PDT) Received: from mailhost.stack.nl (vaak.stack.nl [131.155.140.140]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5EE8C43D2D for ; Sun, 4 Apr 2004 14:55:58 -0700 (PDT) (envelope-from svdb@stack.nl) Received: from toad.stack.nl (zen.stack.nl [2001:610:1108:5010::130]) by mailhost.stack.nl (Postfix) with ESMTP id 4070846D#6C9B81F017 for ; Sun, 4 Apr 2004 23:55:57 +0200 (CEST) Received: by toad.stack.nl (Postfix, from userid 1106) id 545417F; Sun, 4 Apr 2004 23:55:57 +0200 (CEST) Message-Id: <20040404215557.545417F@toad.stack.nl> Date: Sun, 4 Apr 2004 23:55:57 +0200 (CEST) From: Serge van den Boom To: FreeBSD-gnats-submit@FreeBSD.org X-Send-Pr-Version: 3.113 Subject: bin/65175: buffer overrun in timedc X-BeenThere: freebsd-bugs@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: Serge van den Boom List-Id: Bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 04 Apr 2004 22:00:39 -0000 >Number: 65175 >Category: bin >Synopsis: buffer overrun in timedc >Confidential: no >Severity: serious >Priority: medium >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Sun Apr 04 15:00:38 PDT 2004 >Closed-Date: >Last-Modified: >Originator: Serge van den Boom >Release: FreeBSD 4.9-STABLE i386 >Organization: M.C.G.V. Stack >Environment: System: FreeBSD toad.stack.nl 4.9-STABLE FreeBSD 4.9-STABLE #12: Fri Feb 6 12:18:35 CET 2004 jilles@vwww.stack.nl:/vwww.mnt/sources/4.x/obj/vwww.mnt/sources/4.x/sys/toad_vwww i386 >Description: There exists a buffer overrun in timedc, which is installed setuid root per default. In interactive mode, if you enter a command, a pointer to each of the arguments is stored in the global array 'margv'. The problem is that the array is declared with size 20, and no bounds checks are done when filling this array. Fortunately, the command string, from which the array is filled, is no longer than 200 characters, allowing for only a limited range of memory which can be overwritten. On the system where I examined this bug, nothing exploitable seems to be in this range [1], however using a different architecture or compiler/linker, this may be different. If such an exploit would be possible, this would not directly lead to root privileges, as these are given up as one of the first things in the program. It would however leave the attacker with an udp socket bound to a privileged port, and a raw icmp socket. [1] The command string itself IS within the overwritable range, and it is possible to overwrite its terminating '\0', which would cause the command line parsing to go on for too long. As there are not many variables after that in the memory page, and the end of the page is still a long way off, another '\0' will inevitably be encountered before any harm can be done. >How-To-Repeat: $ timedc timedc> a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a >Fix: Delete timed/timedc and use ntpd/ntpdc. >Release-Note: >Audit-Trail: >Unformatted: