From owner-freebsd-security Fri Nov 7 00:56:19 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.7/8.8.7) id AAA19558 for security-outgoing; Fri, 7 Nov 1997 00:56:19 -0800 (PST) (envelope-from owner-freebsd-security) Received: from firewall.ftf.dk (root@mail.ftf.dk [129.142.64.2]) by hub.freebsd.org (8.8.7/8.8.7) with ESMTP id AAA19552 for ; Fri, 7 Nov 1997 00:56:13 -0800 (PST) (envelope-from regnauld@deepo.prosa.dk) Received: from mail.prosa.dk ([192.168.100.2]) by firewall.ftf.dk (8.7.6/8.7.3) with ESMTP id LAA24522 for ; Fri, 7 Nov 1997 11:29:31 +0100 Received: from deepo.prosa.dk (deepo.prosa.dk [192.168.100.10]) by mail.prosa.dk (8.8.5/8.8.5/prosa-1.1) with ESMTP id KAA19736 for ; Fri, 7 Nov 1997 10:14:37 +0100 (CET) Received: (from regnauld@localhost) by deepo.prosa.dk (8.8.5/8.8.5/prosa-1.1) id JAA12375; Fri, 7 Nov 1997 09:55:07 +0100 (CET) Message-ID: <19971107095506.35947@deepo.prosa.dk> Date: Fri, 7 Nov 1997 09:55:06 +0100 From: Philippe Regnauld To: security@freebsd.org Subject: Fwd: "possible freebsd su problem?" Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Description: Main Body X-Mailer: Mutt 0.69 X-Operating-System: FreeBSD 2.2.1-RELEASE i386 Sender: owner-freebsd-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk Is there any potential concern for this ? -----Forwarded message from taz ----- Date: Thu, 6 Nov 1997 11:30:02 -0600 From: taz Subject: possible freebsd su problem? To: BUGTRAQ@NETSPACE.ORG I checked the archives, not a word of this was to be found so here goes. First off, my o/s: FreeBSD xxxxxx 2.2.1-RELEASE Upon running su today, which is obviously setuid on most systems, I used the argument '--' instead of '-'. This caused it to seg fault. I ran gdb on it and found the problem was in a getpwnam() call. here is the source. -- FreeBSD su.c (line 175)-- } /* get target login information, default to root */ ---> if ((pwd = getpwnam(user)) == NULL) { <--- errx(1, "unknown login: %s", user); } -- end -- It turns out an earlier call to getopt() returns eof, yet it still thinks it has an extra argument for the username, which it doesnt, so it points user to argv[2], which is null. It then calls getpwnam() with the null argument, as shown in the code, and the getpwnam() function in libc tries to do an strlen() on the null pointer and seg faults. End of program. Exploitable in any way? I have no idea. I would be very interesting in comments on this if it is exploitable. Attached to this is a small patch which checks to see if user is valid or not before making the getpwnam() call. Again this patch is meant for FreeBSD su only. I tried this same thing on sun and linux and it didnt seem to work. -taz ------------------------------------------------------------------------ taz on IRC taz@dal.net -----End of forwarded message----- -- -- Phil -[ Philippe Regnauld / Systems Administrator / regnauld@deepo.prosa.dk ]- -[ Location.: +55.4N +11.3E PGP Key: finger regnauld@hotel.prosa.dk ]-