From owner-freebsd-bugs Sun Oct 27 07:10:07 1996 Return-Path: owner-bugs Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id HAA26627 for bugs-outgoing; Sun, 27 Oct 1996 07:10:07 -0800 (PST) Received: (from gnats@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id HAA26621; Sun, 27 Oct 1996 07:10:03 -0800 (PST) Resent-Date: Sun, 27 Oct 1996 07:10:03 -0800 (PST) Resent-Message-Id: <199610271510.HAA26621@freefall.freebsd.org> Resent-From: gnats (GNATS Management) Resent-To: freebsd-bugs Resent-Reply-To: FreeBSD-gnats@freefall.FreeBSD.org, Received: (from nobody@localhost)by.freefall.freebsd.org.id.HAA26372;Sun; (8.7.5/8.7.3);, 27 Oct 1996 07:00:58.-0800 (PST) Message-Id: <199610271500.HAA26372@freefall.freebsd.org> Date: Sun, 27 Oct 1996 07:00:58 -0800 (PST) From: tqbf@enteract.com To: freebsd-gnats-submit@freebsd.org X-Send-Pr-Version: www-1.0 Subject: bin/1903: Arbitrary users can break root on systems with an SUID /sbin/route Sender: owner-bugs@freebsd.org X-Loop: FreeBSD.org Precedence: bulk >Number: 1903 >Category: bin >Synopsis: Arbitrary users can break root on systems with an SUID /sbin/route >Confidential: no >Severity: critical >Priority: high >Responsible: freebsd-bugs >State: open >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Sun Oct 27 07:10:01 PST 1996 >Last-Modified: >Originator: Thomas Ptacek >Organization: EnterAct, L.L.C. >Release: FreeBSD 2.1.5-RELEASE >Environment: FreeBSD adam 2.1-STABLE FreeBSD 2.1-STABLE #0: Mon Sep 9 03:07:45 CDT 1996 tqbf@adam:/home1/src/sys/compile/ADAMSTOMP i386 >Description: When a user attempts to get a route entry using 'route get', route does a reverse DNS lookup. It fails to check the length of the returned hostname before copying it into a 50 byte buffer. Additionally, large values for the argument to the 'get' command will cause 'route' to die on SIGSEGV; gdb shows the stack being overwritten with this value. >How-To-Repeat: >Fix: Take the SUID bit off /sbin/route. >Audit-Trail: >Unformatted: