Skip site navigation (1)Skip section navigation (2) 
Date:      Fri, 7 Nov 1997 09:55:06 +0100
From:      Philippe Regnauld <regnauld@deepo.prosa.dk>
To:        security@freebsd.org
Subject:   Fwd: "possible freebsd su problem?" <taz@primenet.com>
Message-ID:  <19971107095506.35947@deepo.prosa.dk>
next in thread | raw e-mail | index | archive | help 
	Is there any potential concern for this ?

-----Forwarded message from taz <taz@primenet.com>-----

Date:         Thu, 6 Nov 1997 11:30:02 -0600
From: taz <taz@primenet.com>
Subject:      possible freebsd su problem?
To: BUGTRAQ@NETSPACE.ORG

        I checked the archives, not a word of this was to be found so here
goes.

First off, my o/s:
FreeBSD xxxxxx 2.2.1-RELEASE

        Upon running su today, which is obviously setuid on most systems,
I used the argument '--' instead of '-'. This caused it to seg fault. I
ran gdb on it and found the problem was in a getpwnam() call. here is the
source.

-- FreeBSD su.c (line 175)--

                }
        /* get target login information, default to root */
--->    if ((pwd = getpwnam(user)) == NULL) {   <---
                errx(1, "unknown login: %s", user);
        }
-- end --

        It turns out an earlier call to getopt() returns eof, yet it
still thinks it has an extra argument for the username, which it doesnt,
so it points user to argv[2], which is null. It then calls getpwnam() with
the null argument, as shown in the code, and the getpwnam() function in
libc tries to do an strlen() on the null pointer and seg faults. End of
program.

        Exploitable in any way? I have no idea. I would be very
interesting in comments on this if it is exploitable. Attached to this is
a small patch which checks to see if user is valid or not before making
the getpwnam() call. Again this patch is meant for FreeBSD su only. I
tried this same thing on sun and linux and it didnt seem to work.

-taz

------------------------------------------------------------------------
taz on IRC
taz@dal.net


-----End of forwarded message-----

-- 
                                                              -- Phil

-[ Philippe Regnauld  /  Systems Administrator  /  regnauld@deepo.prosa.dk ]-
-[ Location.: +55.4N +11.3E        PGP Key: finger regnauld@hotel.prosa.dk ]-

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?19971107095506.35947>