From owner-freebsd-current Wed Aug 7 18:28:47 1996 Return-Path: owner-current Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id SAA23113 for current-outgoing; Wed, 7 Aug 1996 18:28:47 -0700 (PDT) Received: from apocalypse.superlink.net (root@apocalypse.superlink.net [205.246.27.150]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id SAA23104 for ; Wed, 7 Aug 1996 18:28:42 -0700 (PDT) Received: (from marxx@localhost) by apocalypse.superlink.net (8.7.5/8.7.3) id RAA16244; Wed, 7 Aug 1996 17:39:52 -0400 (EDT) Date: Wed, 7 Aug 1996 17:39:51 -0400 (EDT) From: "Charles C. Figueiredo" To: current@freebsd.org Subject: exploitable security risk Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-current@freebsd.org X-Loop: FreeBSD.org Precedence: bulk /usr/src/usr.bin/modstat/modstat.c does a blind strcpy from a char pointer into a 32 byte buffer. What makes this worse is that strcpy does not check len, and what's being copied into the 32 byte buffer is specified via argv. If it were a bigger buffer it'd be easier to exploit, but anyone proficient in x86 asm could probably handle 32 bytes. It's quite obvious that this is a very possible buffer overflow. I've prepared a diff from the latest modstat.c to a more secure modstat.c ;-) -- 48a49,50 > #define MNLEN 32 > 75,76c77,78 < if (modname != NULL) < strcpy(sbuf.name, modname); --- > if ( modname != NULL) > strncpy(sbuf.name, modname, MNLEN); -- ------------------------------------------------------------------------------ Charles C. Figueiredo CCF13 marxx@doomsday.org ------------------------------------------------------------------------------