From owner-freebsd-security Mon Feb 3 01:44:12 1997 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.5/8.8.5) id BAA17918 for security-outgoing; Mon, 3 Feb 1997 01:44:12 -0800 (PST) Received: from enteract.com (root@enteract.com [206.54.252.1]) by freefall.freebsd.org (8.8.5/8.8.5) with ESMTP id BAA17913 for ; Mon, 3 Feb 1997 01:44:08 -0800 (PST) Received: (from tqbf@localhost) by enteract.com (8.8.5/8.7.6) id DAA18201; Mon, 3 Feb 1997 03:43:14 -0600 (CST) From: "Thomas H. Ptacek" Message-Id: <199702030943.DAA18201@enteract.com> Subject: Re: Critical Security Problem in 4.4BSD crt0 To: torbjorn@norway.eu.net (Torbjorn Ose) Date: Mon, 3 Feb 1997 03:42:33 -0600 (CST) Cc: tqbf@enteract.com, freebsd-security@freebsd.org Reply-To: tqbf@enteract.com In-Reply-To: <199702030817.JAA22183@kirov.eunet.no> from "Torbjorn Ose" at Feb 3, 97 08:17:55 am X-Mailer: ELM [version 2.4 PL24 ME8a] Content-Type: text Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk > This was also fixed in 2.1.6 and there was much talk about this ages ago > when it was first discovered. This was last year sometime. I also recall > reading an advisory from FreeBSD about this. Interesting. I very recently installed 2.1.6 over the network from FTP.FREEBSD.ORG on one of our machines. Immediately after finding the problem, I tried my exploit on the 2.1.6 machine. It worked without modification. After reading your message, I tried again. It still worked. I then looked at the source tree for 2.1.6, and sure enough, crt0 start() still does startup locale processing, and startup_setrunelocale() still has a stack overrun. Then I downloaded the library source distribution from wcarchive and diffed 2.1.5 against 2.1.6. Know what changed? The version numbers in the RCS strings. I note that I am unable to find any evidence of a crt0 announcement from FreeBSD. Searches of the freebsd-announce and freebsd-security mailing lists turn up nothing relevant to crt0, start(), or locales. Could you provide a URL to this announcement you recall reading? The problem certainly was not fixed "by 2.1.6"; 2.1.6 needs to be patched (just as 2.1.5 does). Any system installed off the FTP servers, since the release of 2.1.6 up to and including today, is vulnerable to this problem. Thanks for the input. ---------------- Thomas Ptacek at EnterAct, L.L.C., Chicago, IL [tqbf@enteract.com] ---------------- "I'm standing alone, I'm watching you all, I'm seeing you sinking."