From owner-freebsd-security Mon Sep 11 14:11:25 2000 Delivered-To: freebsd-security@freebsd.org Received: from nagual.pp.ru (pobrecita.freebsd.ru [194.87.13.42]) by hub.freebsd.org (Postfix) with ESMTP id 052CC37B422 for ; Mon, 11 Sep 2000 14:11:21 -0700 (PDT) Received: (from ache@localhost) by nagual.pp.ru (8.11.0/8.11.0) id e8BLB8E40365; Tue, 12 Sep 2000 01:11:08 +0400 (MSD) (envelope-from ache) Date: Tue, 12 Sep 2000 01:11:06 +0400 From: "Andrey A. Chernov" To: Szilveszter Adam Cc: freebsd-security@FreeBSD.ORG Subject: Re: [paul@STARZETZ.DE: Breaking screen on BSD] Message-ID: <20000912011105.A40182@nagual.pp.ru> References: <20000911224221.A14920@petra.hos.u-szeged.hu> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20000911224221.A14920@petra.hos.u-szeged.hu>; from sziszi@petra.hos.u-szeged.hu on Mon, Sep 11, 2000 at 10:42:21PM +0200 Organization: Biomechanoid Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > As far as there is no way to construct a string containing more 0x0's in > standard C, we can profit from a feature (bug?) in the passing of > environment variables by execve function. execve() will pass empty env > strings (pointers to zeros, _not_ NULL pointers) AS IS, so passing e.g. > environ[a] = empty, environ[a] = empty will lead to two 0x0#s pushed > somewhere onto the stack... With this feature we can construct an array > of arbitrary data on the bottom of the called programm's stack. If this > array can be reached from a fmt-vulnerable function, we can write to ANY > VMA address including also the .data section of a BSD process. Obviously this bug is too general and not related to screen only. It seems we need to fix execve() to prevent this. -- Andrey A. Chernov http://ache.pp.ru/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message