Date: Mon, 3 Feb 1997 03:42:33 -0600 (CST) From: "Thomas H. Ptacek" <tqbf@enteract.com> To: torbjorn@norway.eu.net (Torbjorn Ose) Cc: tqbf@enteract.com, freebsd-security@freebsd.org Subject: Re: Critical Security Problem in 4.4BSD crt0 Message-ID: <199702030943.DAA18201@enteract.com> In-Reply-To: <199702030817.JAA22183@kirov.eunet.no> from "Torbjorn Ose" at Feb 3, 97 08:17:55 am
next in thread | previous in thread | raw e-mail | index | archive | help
> This was also fixed in 2.1.6 and there was much talk about this ages ago > when it was first discovered. This was last year sometime. I also recall > reading an advisory from FreeBSD about this. Interesting. I very recently installed 2.1.6 over the network from FTP.FREEBSD.ORG on one of our machines. Immediately after finding the problem, I tried my exploit on the 2.1.6 machine. It worked without modification. After reading your message, I tried again. It still worked. I then looked at the source tree for 2.1.6, and sure enough, crt0 start() still does startup locale processing, and startup_setrunelocale() still has a stack overrun. Then I downloaded the library source distribution from wcarchive and diffed 2.1.5 against 2.1.6. Know what changed? The version numbers in the RCS strings. I note that I am unable to find any evidence of a crt0 announcement from FreeBSD. Searches of the freebsd-announce and freebsd-security mailing lists turn up nothing relevant to crt0, start(), or locales. Could you provide a URL to this announcement you recall reading? The problem certainly was not fixed "by 2.1.6"; 2.1.6 needs to be patched (just as 2.1.5 does). Any system installed off the FTP servers, since the release of 2.1.6 up to and including today, is vulnerable to this problem. Thanks for the input. ---------------- Thomas Ptacek at EnterAct, L.L.C., Chicago, IL [tqbf@enteract.com] ---------------- "I'm standing alone, I'm watching you all, I'm seeing you sinking."
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199702030943.DAA18201>