From owner-freebsd-security Mon Feb 3 07:44:21 1997 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.5/8.8.5) id HAA03901 for security-outgoing; Mon, 3 Feb 1997 07:44:21 -0800 (PST) Received: from enteract.com (root@enteract.com [206.54.252.1]) by freefall.freebsd.org (8.8.5/8.8.5) with ESMTP id HAA03895 for ; Mon, 3 Feb 1997 07:44:16 -0800 (PST) Received: (from tqbf@localhost) by enteract.com (8.8.5/8.7.6) id JAA12610; Mon, 3 Feb 1997 09:44:14 -0600 (CST) From: "Thomas H. Ptacek" Message-Id: <199702031544.JAA12610@enteract.com> Subject: Problems with locale routines in general... To: freebsd-security@freebsd.org Date: Mon, 3 Feb 1997 09:43:33 -0600 (CST) Cc: bugtraq@netspace.org Reply-To: tqbf@enteract.com X-Mailer: ELM [version 2.4 PL24 ME8a] Content-Type: text Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk I'm sure I'm rehashing something that the developers are already aware of (FreeBSD -current is not vulnerable to this problem), but from the looks of it, anyone who installed FreeBSD 2.2 prior to December of 1996 is vulnerable to locale routine problems similar to the one that afflicts crt0 start() in FreeBSD 2.1.x. Specifically, I'm able to cause a shell to be executed from any program that calls setlocale() in FreeBSD 2.2. I tested this out with dmesg, which promptly gave me an SGID "kmem" shell. Note that programs that shed privilege using saved-set UIDs are vulnerable to this problem as well, as the machine code used to take over the affected programs can easily restore privilege. The locale routines were patched at the end of 1996 to cause PATH_LOCALE (the environment variable who's contents are trampling all over the stack frames of locale routines) to be ignored if the euid doesn't match the uid; the patch also avoids the stack overrun by allocating space for the variable on the heap with strdup(). People running FreeBSD revisions that don't have this patch will want to make sure they've applied these patches as soon as possible. Vulnerability can easily be assessed by setting LC_CTYPE, filling PATH_LOCALE with 2000 random characters, and attempting to run /sbin/dmesg (which will segfault if the problem exists). ---------------- Thomas Ptacek at EnterAct, L.L.C., Chicago, IL [tqbf@enteract.com] ---------------- "I'm standing alone, I'm watching you all, I'm seeing you sinking."