From owner-freebsd-bugs Tue Oct 22 02:20:07 1996 Return-Path: owner-bugs Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id CAA16577 for bugs-outgoing; Tue, 22 Oct 1996 02:20:07 -0700 (PDT) Received: (from gnats@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id CAA16552; Tue, 22 Oct 1996 02:20:04 -0700 (PDT) Resent-Date: Tue, 22 Oct 1996 02:20:04 -0700 (PDT) Resent-Message-Id: <199610220920.CAA16552@freefall.freebsd.org> Resent-From: gnats (GNATS Management) Resent-To: freebsd-bugs Resent-Reply-To: FreeBSD-gnats@freefall.FreeBSD.org, Received: (from nobody@localhost)by.freefall.freebsd.org.id.CAA16358;Tue; (8.7.5/8.7.3);, 22 Oct 1996 02:16:58.-0700 (PDT) Message-Id: <199610220916.CAA16358@freefall.freebsd.org> Date: Tue, 22 Oct 1996 02:16:58 -0700 (PDT) From: tqbf@enteract.com To: freebsd-gnats-submit@freebsd.org X-Send-Pr-Version: www-1.0 Subject: bin/1863: On systems with setuid 'lpr' and defined printers, lpr breaks root Sender: owner-bugs@freebsd.org X-Loop: FreeBSD.org Precedence: bulk >Number: 1863 >Category: bin >Synopsis: On systems with setuid 'lpr' and defined printers, lpr breaks root >Confidential: no >Severity: critical >Priority: high >Responsible: freebsd-bugs >State: open >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Tue Oct 22 02:20:02 PDT 1996 >Last-Modified: >Originator: Thomas Ptacek >Organization: EnterAct, L.L.C. >Release: Unresolved as of 2.2-Current >Environment: FreeBSD adam 2.1-STABLE FreeBSD 2.1-STABLE #0: Mon Sep 9 03:07:45 CDT 1996 tqbf@adam:/home1/src/sys/compile/ADAMSTOMP i386 >Description: lpr contains a routine called 'card()', which takes an input string a single character described by an int. The routine copies the input string into a temporary buffer stored on the stack, prepended by the supplied character. No bounds checking is done during the copy, and the card() routine is called with a pointer obtained directly from getopt, causing a stack overflow. >How-To-Repeat: On systems with a defined printer: lpr -P -C `rootshellcode` where "rootshellcode" outputs a stream of characters containing return addresses pointing further into the buffer, and 8086 opcodes that will call execve() with "/bin/sh" as an argument. >Fix: card() keeps track of the length of the string as it copies it, and the copy takes place in a while loop. Check the incremented length of the string against the size of the temporary buffer, and break the copy as soon as the length is greater than the size of the buffer. >Audit-Trail: >Unformatted: