Date: Wed, 12 Feb 1997 12:51:56 +0300 (MSK) From: Vadim Kolontsov <vadim@tversu.ac.ru> To: freebsd-security@freebsd.org Subject: new bugs with strcpy() Message-ID: <Pine.NEB.3.95.970212122850.18936A-100000@mailserv.tversu.ac.ru>
next in thread | raw e-mail | index | archive | help
Hello,
Today morning I've take a look to some freebsd sources...
It looks like we have many potential holes in source tree (it takes only
15 minutes to find them)
For example,
tftpd:
======
int validate_access(char **filep, intmode)
{
. . .
static char pathname[MAXPATHLEN];
char *filename = *filep;
. . .
sprintf(pathname, "%s/%s", dirp->name, filename);
. . .
}
(of course, tftpd runs as nobody by default, but when you'll get
access to the system you can use another exploit...)
libmytinfo:
===========
void _tcapconv()
{
char buf[MAX_LINE+1];
. . .
s = strcpy(buf, other_non_function_keys);
. . .
}
(other_non_function_keys is "ok=" entry in termcap; remember, that you
can have your own ~username/.termcap!)
It looks that we need to check whole source tree carefully..
Or at least apply patches to libc's strcpy() that checks stack frame.
Best regards, Vadim.
--------------------------------------------------------------------------
Vadim Kolontsov SysAdm/Programmer
Tver Regional Center of New Information Technologies Networks Lab
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.NEB.3.95.970212122850.18936A-100000>