Date: Tue, 22 Oct 1996 02:16:58 -0700 (PDT) From: tqbf@enteract.com To: freebsd-gnats-submit@freebsd.org Subject: bin/1863: On systems with setuid 'lpr' and defined printers, lpr breaks root Message-ID: <199610220916.CAA16358@freefall.freebsd.org> Resent-Message-ID: <199610220920.CAA16552@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 1863
>Category: bin
>Synopsis: On systems with setuid 'lpr' and defined printers, lpr breaks root
>Confidential: no
>Severity: critical
>Priority: high
>Responsible: freebsd-bugs
>State: open
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Tue Oct 22 02:20:02 PDT 1996
>Last-Modified:
>Originator: Thomas Ptacek
>Organization:
EnterAct, L.L.C.
>Release: Unresolved as of 2.2-Current
>Environment:
FreeBSD adam 2.1-STABLE FreeBSD 2.1-STABLE #0: Mon Sep 9 03:07:45 CDT 1996 tqbf@adam:/home1/src/sys/compile/ADAMSTOMP i386
>Description:
lpr contains a routine called 'card()', which takes an input
string a single character described by an int. The routine
copies the input string into a temporary buffer stored on the
stack, prepended by the supplied character. No bounds checking
is done during the copy, and the card() routine is called with
a pointer obtained directly from getopt, causing a stack overflow.
>How-To-Repeat:
On systems with a defined printer:
lpr -P<printername> -C `rootshellcode`
where "rootshellcode" outputs a stream of characters containing
return addresses pointing further into the buffer, and 8086
opcodes that will call execve() with "/bin/sh" as an argument.
>Fix:
card() keeps track of the length of the string as it
copies it, and the copy takes place in a while loop. Check
the incremented length of the string against the size of
the temporary buffer, and break the copy as soon as the length
is greater than the size of the buffer.
>Audit-Trail:
>Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199610220916.CAA16358>