From owner-freebsd-security Wed Feb 12 01:51:15 1997 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.5/8.8.5) id BAA19092 for security-outgoing; Wed, 12 Feb 1997 01:51:15 -0800 (PST) Received: from mailserv.tversu.ac.ru (root@mailserv.tversu.ac.ru [193.233.128.3]) by freefall.freebsd.org (8.8.5/8.8.5) with SMTP id BAA19084 for ; Wed, 12 Feb 1997 01:51:03 -0800 (PST) Received: from localhost (vadim@localhost) by mailserv.tversu.ac.ru (8.6.12/8.6.12) with SMTP id MAA19096 for ; Wed, 12 Feb 1997 12:51:56 +0300 Date: Wed, 12 Feb 1997 12:51:56 +0300 (MSK) From: Vadim Kolontsov To: freebsd-security@freebsd.org Subject: new bugs with strcpy() Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk Hello, Today morning I've take a look to some freebsd sources... It looks like we have many potential holes in source tree (it takes only 15 minutes to find them) For example, tftpd: ====== int validate_access(char **filep, intmode) { . . . static char pathname[MAXPATHLEN]; char *filename = *filep; . . . sprintf(pathname, "%s/%s", dirp->name, filename); . . . } (of course, tftpd runs as nobody by default, but when you'll get access to the system you can use another exploit...) libmytinfo: =========== void _tcapconv() { char buf[MAX_LINE+1]; . . . s = strcpy(buf, other_non_function_keys); . . . } (other_non_function_keys is "ok=" entry in termcap; remember, that you can have your own ~username/.termcap!) It looks that we need to check whole source tree carefully.. Or at least apply patches to libc's strcpy() that checks stack frame. Best regards, Vadim. -------------------------------------------------------------------------- Vadim Kolontsov SysAdm/Programmer Tver Regional Center of New Information Technologies Networks Lab