Date: Sun, 27 Oct 1996 07:00:58 -0800 (PST) From: tqbf@enteract.com To: freebsd-gnats-submit@freebsd.org Subject: bin/1903: Arbitrary users can break root on systems with an SUID /sbin/route Message-ID: <199610271500.HAA26372@freefall.freebsd.org> Resent-Message-ID: <199610271510.HAA26621@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 1903 >Category: bin >Synopsis: Arbitrary users can break root on systems with an SUID /sbin/route >Confidential: no >Severity: critical >Priority: high >Responsible: freebsd-bugs >State: open >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Sun Oct 27 07:10:01 PST 1996 >Last-Modified: >Originator: Thomas Ptacek >Organization: EnterAct, L.L.C. >Release: FreeBSD 2.1.5-RELEASE >Environment: FreeBSD adam 2.1-STABLE FreeBSD 2.1-STABLE #0: Mon Sep 9 03:07:45 CDT 1996 tqbf@adam:/home1/src/sys/compile/ADAMSTOMP i386 >Description: When a user attempts to get a route entry using 'route get', route does a reverse DNS lookup. It fails to check the length of the returned hostname before copying it into a 50 byte buffer. Additionally, large values for the argument to the 'get' command will cause 'route' to die on SIGSEGV; gdb shows the stack being overwritten with this value. >How-To-Repeat: >Fix: Take the SUID bit off /sbin/route. >Audit-Trail: >Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199610271500.HAA26372>