Date: Mon, 3 Feb 1997 09:43:33 -0600 (CST) From: "Thomas H. Ptacek" <tqbf@enteract.com> To: freebsd-security@freebsd.org Cc: bugtraq@netspace.org Subject: Problems with locale routines in general... Message-ID: <199702031544.JAA12610@enteract.com>
next in thread | raw e-mail | index | archive | help
I'm sure I'm rehashing something that the developers are already aware of (FreeBSD -current is not vulnerable to this problem), but from the looks of it, anyone who installed FreeBSD 2.2 prior to December of 1996 is vulnerable to locale routine problems similar to the one that afflicts crt0 start() in FreeBSD 2.1.x. Specifically, I'm able to cause a shell to be executed from any program that calls setlocale() in FreeBSD 2.2. I tested this out with dmesg, which promptly gave me an SGID "kmem" shell. Note that programs that shed privilege using saved-set UIDs are vulnerable to this problem as well, as the machine code used to take over the affected programs can easily restore privilege. The locale routines were patched at the end of 1996 to cause PATH_LOCALE (the environment variable who's contents are trampling all over the stack frames of locale routines) to be ignored if the euid doesn't match the uid; the patch also avoids the stack overrun by allocating space for the variable on the heap with strdup(). People running FreeBSD revisions that don't have this patch will want to make sure they've applied these patches as soon as possible. Vulnerability can easily be assessed by setting LC_CTYPE, filling PATH_LOCALE with 2000 random characters, and attempting to run /sbin/dmesg (which will segfault if the problem exists). ---------------- Thomas Ptacek at EnterAct, L.L.C., Chicago, IL [tqbf@enteract.com] ---------------- "I'm standing alone, I'm watching you all, I'm seeing you sinking."
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199702031544.JAA12610>